Add SELinux filesystem relabeling to init

Since not all recoveries out there will support the OTA packages' own labeling, check at boot if the system needs labels (and apply them) Change-Id: I58767977b90a78a12efe7bd9d713654eadf47e7a
2013-07-17 16:45:20 +01:00 · 2013-07-17 16:45:20 +01:00 · d2d1a7ffb1
commit d2d1a7ffb1
parent 1f1434338b
2 changed files with 50 additions and 0 deletions
--- a/config/common.mk
+++ b/config/common.mk
@ -95,6 +95,10 @@ PRODUCT_COPY_FILES += \
 PRODUCT_COPY_FILES += \
    vendor/cm/prebuilt/common/etc/init.d/90userinit:system/etc/init.d/90userinit

+# SELinux filesystem labels
+PRODUCT_COPY_FILES += \
+    vendor/cm/prebuilt/common/etc/init.d/50selinuxrelabel:system/etc/init.d/50selinuxrelabel
+
 # CM-specific init file
 PRODUCT_COPY_FILES += \
    vendor/cm/prebuilt/common/etc/init.local.rc:root/init.cm.rc
--- a/prebuilt/common/etc/init.d/50selinuxrelabel
+++ b/prebuilt/common/etc/init.d/50selinuxrelabel
@ -0,0 +1,46 @@
+#!/system/bin/sh
+
+L="log -p i -t SELinuxLabel"
+
+# Bail out early if not on a SELinux build
+getprop ro.build.selinux | grep -q 1 || exit
+if [ ! -f /file_contexts ]; then
+  exit
+fi
+
+LABELDATA=0
+LABELSYS=0
+
+# Test /data
+ls -Zd /data/anr | grep -q unlabeled
+if [ $? -eq 0 ]; then
+  $L "userdata is unlabeled, fixing..."
+  LABELDATA=1
+fi
+
+ls -Z /system/bin/surfaceflinger | grep -q unlabeled
+if [ $? -eq 0 ]; then
+  $L "system is unlabeled, fixing... (You really should update your recovery)"
+  LABELSYS=1
+fi
+
+ls -Z /system/app/GoogleServicesFramework.apk | grep -q unlabeled
+if [ $LABELSYS = "0" -a $? -eq 0 ]; then
+  $L "Found unlabeled Google framework, fixing..."
+  LABELSYS=1
+fi
+
+
+if [ $LABELSYS = "1" ]; then
+  busybox mount -o remount,rw /system
+  $L "/system relabel starting..."
+  restorecon -R /system
+  $L "/system relabel complete"
+  busybox mount -o remount,ro /system
+fi
+
+if [ $LABELDATA = "1" ]; then
+  $L "/data relabel starting..."
+  restorecon -R /data
+  $L "/data relabel complete"
+fi