Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 7361d27fdeb45f3ea24ab41b1a1a130ab1f17233^! / . / aosp / hardware_android.cc
commit7361d27fdeb45f3ea24ab41b1a1a130ab1f17233[log] [tgz]
authorAlex Light <allight@google.com>Fri Mar 12 09:05:55 2021 -0800
committerAlex Light <allight@google.com>Thu Mar 25 11:28:34 2021 -0700
treeac5c475f656df412df063aac5922a6dd64fa82df
parent327dce7f109937e2ad036521fbf68fb8e3e504de [diff] [blame]
Allow /postinstall files to have custom contexts

We were mounting /postinstall with a 'context=...' option. This forces
all files within /postinstall to have a single selinux context,
limiting the possible granularity of our policies. Here we change it
to simply default to the 'postinstall_file' context for the 'system'
partition but allow individual files to have their own custom contexts
defined by /system/sepolicy. Other partitions retain the single
'postinstall_file' context.

The sample_images were updated to manually add a selinux label for
testing FS contexts.

Test: Manual OTA of blueline
Test: atest update_engine_unittests
Bug: 181182967

Change-Id: I0b8c2b2228fa08afecb64da9c276737eb9ae3631

diff --git a/aosp/hardware_android.cc b/aosp/hardware_android.cc
index 0ac82d6..624cfc9 100644
--- a/aosp/hardware_android.cc
+++ b/aosp/hardware_android.cc

@@ -346,4 +346,30 @@
   return error_code;
 }
 
+// Mount options for non-system partitions. This option causes selinux treat
+// every file in the mounted filesystem as having the 'postinstall_file'
+// context, regardless of what the filesystem itself records. See "SELinux
+// User's and Administrator's Guide" for more information on this option.
+constexpr const char* kDefaultPostinstallMountOptions =
+    "context=u:object_r:postinstall_file:s0";
+
+// Mount options for system partitions. This option causes selinux to use the
+// 'postinstall_file' context as a fallback if there are no other selinux
+// contexts associated with the file in the mounted partition. See "SELinux
+// User's and Administrator's Guide" for more information on this option.
+constexpr const char* kSystemPostinstallMountOptions =
+    "defcontext=u:object_r:postinstall_file:s0";
+
+// Name of the system-partition
+constexpr std::string_view kSystemPartitionName = "system";
+
+const char* HardwareAndroid::GetPartitionMountOptions(
+    const std::string& partition_name) const {
+  if (partition_name == kSystemPartitionName) {
+    return kSystemPostinstallMountOptions;
+  } else {
+    return kDefaultPostinstallMountOptions;
+  }
+}
+
 }  // namespace chromeos_update_engine