1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 // This file contains the functions that initialize SELinux during boot as well as helper functions
18 // for SELinux operation for init.
19
20 // When the system boots, there is no SEPolicy present and init is running in the kernel domain.
21 // Init loads the SEPolicy from the file system, restores the context of /system/bin/init based on
22 // this SEPolicy, and finally exec()'s itself to run in the proper domain.
23
24 // The SEPolicy on Android comes in two variants: monolithic and split.
25
26 // The monolithic policy variant is for legacy non-treble devices that contain a single SEPolicy
27 // file located at /sepolicy and is directly loaded into the kernel SELinux subsystem.
28
29 // The split policy is for supporting treble devices and updateable apexes. It splits the SEPolicy
30 // across files on /system/etc/selinux (the 'plat' portion of the policy), /vendor/etc/selinux
31 // (the 'vendor' portion of the policy), /system_ext/etc/selinux, /product/etc/selinux,
32 // /odm/etc/selinux, and /dev/selinux (the apex portion of policy). This is necessary to allow
33 // images to be updated independently of the vendor image, while maintaining contributions from
34 // multiple partitions in the SEPolicy. This is especially important for VTS testing, where the
35 // SEPolicy on the Google System Image may not be identical to the system image shipped on a
36 // vendor's device.
37
38 // The split SEPolicy is loaded as described below:
39 // 1) There is a precompiled SEPolicy located at either /vendor/etc/selinux/precompiled_sepolicy or
40 // /odm/etc/selinux/precompiled_sepolicy if odm parition is present. Stored along with this file
41 // are the sha256 hashes of the parts of the SEPolicy on /system, /system_ext, /product, and apex
42 // that were used to compile this precompiled policy. The system partition contains a similar
43 // sha256 of the parts of the SEPolicy that it currently contains. Symmetrically, system_ext,
44 // product, and apex contain sha256 hashes of their SEPolicy. Init loads this
45 // precompiled_sepolicy directly if and only if the hashes along with the precompiled SEPolicy on
46 // /vendor or /odm match the hashes for system, system_ext, product, and apex SEPolicy,
47 // respectively.
48 // 2) If these hashes do not match, then either /system or /system_ext /product, or apex (or some of
49 // them) have been updated out of sync with /vendor (or /odm if it is present) and the init needs
50 // to compile the SEPolicy. /system contains the SEPolicy compiler, secilc, and it is used by
51 // the OpenSplitPolicy() function below to compile the SEPolicy to a temp directory and load it.
52 // That function contains even more documentation with the specific implementation details of how
53 // the SEPolicy is compiled if needed.
54
55 #include "selinux.h"
56
57 #include <android/api-level.h>
58 #include <fcntl.h>
59 #include <linux/audit.h>
60 #include <linux/netlink.h>
61 #include <stdlib.h>
62 #include <sys/wait.h>
63 #include <unistd.h>
64 #include <fstream>
65
66 #include <CertUtils.h>
67 #include <android-base/chrono_utils.h>
68 #include <android-base/file.h>
69 #include <android-base/logging.h>
70 #include <android-base/parseint.h>
71 #include <android-base/result.h>
72 #include <android-base/scopeguard.h>
73 #include <android-base/strings.h>
74 #include <android-base/unique_fd.h>
75 #include <fs_avb/fs_avb.h>
76 #include <fs_mgr.h>
77 #include <fsverity_init.h>
78 #include <libgsi/libgsi.h>
79 #include <libsnapshot/snapshot.h>
80 #include <mini_keyctl_utils.h>
81 #include <selinux/android.h>
82 #include <ziparchive/zip_archive.h>
83
84 #include "block_dev_initializer.h"
85 #include "debug_ramdisk.h"
86 #include "reboot_utils.h"
87 #include "snapuserd_transition.h"
88 #include "util.h"
89
90 using namespace std::string_literals;
91
92 using android::base::ParseInt;
93 using android::base::Timer;
94 using android::base::unique_fd;
95 using android::fs_mgr::AvbHandle;
96 using android::snapshot::SnapshotManager;
97
98 namespace android {
99 namespace init {
100
101 namespace {
102
103 enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
104
StatusFromProperty()105 EnforcingStatus StatusFromProperty() {
106 EnforcingStatus status = SELINUX_ENFORCING;
107
108 ImportKernelCmdline([&](const std::string& key, const std::string& value) {
109 if (key == "androidboot.selinux" && value == "permissive") {
110 status = SELINUX_PERMISSIVE;
111 }
112 });
113
114 if (status == SELINUX_ENFORCING) {
115 ImportBootconfig([&](const std::string& key, const std::string& value) {
116 if (key == "androidboot.selinux" && value == "permissive") {
117 status = SELINUX_PERMISSIVE;
118 }
119 });
120 }
121
122 return status;
123 }
124
IsEnforcing()125 bool IsEnforcing() {
126 if (ALLOW_PERMISSIVE_SELINUX) {
127 return StatusFromProperty() == SELINUX_ENFORCING;
128 }
129 return true;
130 }
131
132 // Forks, executes the provided program in the child, and waits for the completion in the parent.
133 // Child's stderr is captured and logged using LOG(ERROR).
ForkExecveAndWaitForCompletion(const char * filename,char * const argv[])134 bool ForkExecveAndWaitForCompletion(const char* filename, char* const argv[]) {
135 // Create a pipe used for redirecting child process's output.
136 // * pipe_fds[0] is the FD the parent will use for reading.
137 // * pipe_fds[1] is the FD the child will use for writing.
138 int pipe_fds[2];
139 if (pipe(pipe_fds) == -1) {
140 PLOG(ERROR) << "Failed to create pipe";
141 return false;
142 }
143
144 pid_t child_pid = fork();
145 if (child_pid == -1) {
146 PLOG(ERROR) << "Failed to fork for " << filename;
147 return false;
148 }
149
150 if (child_pid == 0) {
151 // fork succeeded -- this is executing in the child process
152
153 // Close the pipe FD not used by this process
154 close(pipe_fds[0]);
155
156 // Redirect stderr to the pipe FD provided by the parent
157 if (TEMP_FAILURE_RETRY(dup2(pipe_fds[1], STDERR_FILENO)) == -1) {
158 PLOG(ERROR) << "Failed to redirect stderr of " << filename;
159 _exit(127);
160 return false;
161 }
162 close(pipe_fds[1]);
163
164 if (execv(filename, argv) == -1) {
165 PLOG(ERROR) << "Failed to execve " << filename;
166 return false;
167 }
168 // Unreachable because execve will have succeeded and replaced this code
169 // with child process's code.
170 _exit(127);
171 return false;
172 } else {
173 // fork succeeded -- this is executing in the original/parent process
174
175 // Close the pipe FD not used by this process
176 close(pipe_fds[1]);
177
178 // Log the redirected output of the child process.
179 // It's unfortunate that there's no standard way to obtain an istream for a file descriptor.
180 // As a result, we're buffering all output and logging it in one go at the end of the
181 // invocation, instead of logging it as it comes in.
182 const int child_out_fd = pipe_fds[0];
183 std::string child_output;
184 if (!android::base::ReadFdToString(child_out_fd, &child_output)) {
185 PLOG(ERROR) << "Failed to capture full output of " << filename;
186 }
187 close(child_out_fd);
188 if (!child_output.empty()) {
189 // Log captured output, line by line, because LOG expects to be invoked for each line
190 std::istringstream in(child_output);
191 std::string line;
192 while (std::getline(in, line)) {
193 LOG(ERROR) << filename << ": " << line;
194 }
195 }
196
197 // Wait for child to terminate
198 int status;
199 if (TEMP_FAILURE_RETRY(waitpid(child_pid, &status, 0)) != child_pid) {
200 PLOG(ERROR) << "Failed to wait for " << filename;
201 return false;
202 }
203
204 if (WIFEXITED(status)) {
205 int status_code = WEXITSTATUS(status);
206 if (status_code == 0) {
207 return true;
208 } else {
209 LOG(ERROR) << filename << " exited with status " << status_code;
210 }
211 } else if (WIFSIGNALED(status)) {
212 LOG(ERROR) << filename << " killed by signal " << WTERMSIG(status);
213 } else if (WIFSTOPPED(status)) {
214 LOG(ERROR) << filename << " stopped by signal " << WSTOPSIG(status);
215 } else {
216 LOG(ERROR) << "waitpid for " << filename << " returned unexpected status: " << status;
217 }
218
219 return false;
220 }
221 }
222
ReadFirstLine(const char * file,std::string * line)223 bool ReadFirstLine(const char* file, std::string* line) {
224 line->clear();
225
226 std::string contents;
227 if (!android::base::ReadFileToString(file, &contents, true /* follow symlinks */)) {
228 return false;
229 }
230 std::istringstream in(contents);
231 std::getline(in, *line);
232 return true;
233 }
234
FindPrecompiledSplitPolicy()235 Result<std::string> FindPrecompiledSplitPolicy() {
236 std::string precompiled_sepolicy;
237 // If there is an odm partition, precompiled_sepolicy will be in
238 // odm/etc/selinux. Otherwise it will be in vendor/etc/selinux.
239 static constexpr const char vendor_precompiled_sepolicy[] =
240 "/vendor/etc/selinux/precompiled_sepolicy";
241 static constexpr const char odm_precompiled_sepolicy[] =
242 "/odm/etc/selinux/precompiled_sepolicy";
243 if (access(odm_precompiled_sepolicy, R_OK) == 0) {
244 precompiled_sepolicy = odm_precompiled_sepolicy;
245 } else if (access(vendor_precompiled_sepolicy, R_OK) == 0) {
246 precompiled_sepolicy = vendor_precompiled_sepolicy;
247 } else {
248 return ErrnoError() << "No precompiled sepolicy at " << vendor_precompiled_sepolicy;
249 }
250
251 // Use precompiled sepolicy only when all corresponding hashes are equal.
252 std::vector<std::pair<std::string, std::string>> sepolicy_hashes{
253 {"/system/etc/selinux/plat_sepolicy_and_mapping.sha256",
254 precompiled_sepolicy + ".plat_sepolicy_and_mapping.sha256"},
255 {"/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256",
256 precompiled_sepolicy + ".system_ext_sepolicy_and_mapping.sha256"},
257 {"/product/etc/selinux/product_sepolicy_and_mapping.sha256",
258 precompiled_sepolicy + ".product_sepolicy_and_mapping.sha256"},
259 {"/dev/selinux/apex_sepolicy.sha256", precompiled_sepolicy + ".apex_sepolicy.sha256"},
260 };
261
262 for (const auto& [actual_id_path, precompiled_id_path] : sepolicy_hashes) {
263 // Both of them should exist or both of them shouldn't exist.
264 if (access(actual_id_path.c_str(), R_OK) != 0) {
265 if (access(precompiled_id_path.c_str(), R_OK) == 0) {
266 return Error() << precompiled_id_path << " exists but " << actual_id_path
267 << " doesn't";
268 }
269 continue;
270 }
271
272 std::string actual_id;
273 if (!ReadFirstLine(actual_id_path.c_str(), &actual_id)) {
274 return ErrnoError() << "Failed to read " << actual_id_path;
275 }
276
277 std::string precompiled_id;
278 if (!ReadFirstLine(precompiled_id_path.c_str(), &precompiled_id)) {
279 return ErrnoError() << "Failed to read " << precompiled_id_path;
280 }
281
282 if (actual_id.empty() || actual_id != precompiled_id) {
283 return Error() << actual_id_path << " and " << precompiled_id_path << " differ";
284 }
285 }
286
287 return precompiled_sepolicy;
288 }
289
GetVendorMappingVersion(std::string * plat_vers)290 bool GetVendorMappingVersion(std::string* plat_vers) {
291 if (!ReadFirstLine("/vendor/etc/selinux/plat_sepolicy_vers.txt", plat_vers)) {
292 PLOG(ERROR) << "Failed to read /vendor/etc/selinux/plat_sepolicy_vers.txt";
293 return false;
294 }
295 if (plat_vers->empty()) {
296 LOG(ERROR) << "No version present in plat_sepolicy_vers.txt";
297 return false;
298 }
299 return true;
300 }
301
302 constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";
303
IsSplitPolicyDevice()304 bool IsSplitPolicyDevice() {
305 return access(plat_policy_cil_file, R_OK) != -1;
306 }
307
GetUserdebugPlatformPolicyFile()308 std::optional<const char*> GetUserdebugPlatformPolicyFile() {
309 // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil.
310 const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE");
311 if (force_debuggable_env && "true"s == force_debuggable_env && AvbHandle::IsDeviceUnlocked()) {
312 const std::vector<const char*> debug_policy_candidates = {
313 #if INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT == 1
314 "/system_ext/etc/selinux/userdebug_plat_sepolicy.cil",
315 #endif
316 kDebugRamdiskSEPolicy,
317 };
318 for (const char* debug_policy : debug_policy_candidates) {
319 if (access(debug_policy, F_OK) == 0) {
320 return debug_policy;
321 }
322 }
323 }
324 return std::nullopt;
325 }
326
327 struct PolicyFile {
328 unique_fd fd;
329 std::string path;
330 };
331
OpenSplitPolicy(PolicyFile * policy_file)332 bool OpenSplitPolicy(PolicyFile* policy_file) {
333 // IMPLEMENTATION NOTE: Split policy consists of three or more CIL files:
334 // * platform -- policy needed due to logic contained in the system image,
335 // * vendor -- policy needed due to logic contained in the vendor image,
336 // * mapping -- mapping policy which helps preserve forward-compatibility of non-platform policy
337 // with newer versions of platform policy.
338 // * (optional) policy needed due to logic on product, system_ext, odm, or apex.
339 // secilc is invoked to compile the above three policy files into a single monolithic policy
340 // file. This file is then loaded into the kernel.
341
342 const auto userdebug_plat_sepolicy = GetUserdebugPlatformPolicyFile();
343 const bool use_userdebug_policy = userdebug_plat_sepolicy.has_value();
344 if (use_userdebug_policy) {
345 LOG(INFO) << "Using userdebug system sepolicy " << *userdebug_plat_sepolicy;
346 }
347
348 // Load precompiled policy from vendor image, if a matching policy is found there. The policy
349 // must match the platform policy on the system image.
350 // use_userdebug_policy requires compiling sepolicy with userdebug_plat_sepolicy.cil.
351 // Thus it cannot use the precompiled policy from vendor image.
352 if (!use_userdebug_policy) {
353 if (auto res = FindPrecompiledSplitPolicy(); res.ok()) {
354 unique_fd fd(open(res->c_str(), O_RDONLY | O_CLOEXEC | O_BINARY));
355 if (fd != -1) {
356 policy_file->fd = std::move(fd);
357 policy_file->path = std::move(*res);
358 return true;
359 }
360 } else {
361 LOG(INFO) << res.error();
362 }
363 }
364 // No suitable precompiled policy could be loaded
365
366 LOG(INFO) << "Compiling SELinux policy";
367
368 // We store the output of the compilation on /dev because this is the most convenient tmpfs
369 // storage mount available this early in the boot sequence.
370 char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX";
371 unique_fd compiled_sepolicy_fd(mkostemp(compiled_sepolicy, O_CLOEXEC));
372 if (compiled_sepolicy_fd < 0) {
373 PLOG(ERROR) << "Failed to create temporary file " << compiled_sepolicy;
374 return false;
375 }
376
377 // Determine which mapping file to include
378 std::string vend_plat_vers;
379 if (!GetVendorMappingVersion(&vend_plat_vers)) {
380 return false;
381 }
382 std::string plat_mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
383
384 std::string plat_compat_cil_file("/system/etc/selinux/mapping/" + vend_plat_vers +
385 ".compat.cil");
386 if (access(plat_compat_cil_file.c_str(), F_OK) == -1) {
387 plat_compat_cil_file.clear();
388 }
389
390 std::string system_ext_policy_cil_file("/system_ext/etc/selinux/system_ext_sepolicy.cil");
391 if (access(system_ext_policy_cil_file.c_str(), F_OK) == -1) {
392 system_ext_policy_cil_file.clear();
393 }
394
395 std::string system_ext_mapping_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
396 ".cil");
397 if (access(system_ext_mapping_file.c_str(), F_OK) == -1) {
398 system_ext_mapping_file.clear();
399 }
400
401 std::string system_ext_compat_cil_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
402 ".compat.cil");
403 if (access(system_ext_compat_cil_file.c_str(), F_OK) == -1) {
404 system_ext_compat_cil_file.clear();
405 }
406
407 std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil");
408 if (access(product_policy_cil_file.c_str(), F_OK) == -1) {
409 product_policy_cil_file.clear();
410 }
411
412 std::string product_mapping_file("/product/etc/selinux/mapping/" + vend_plat_vers + ".cil");
413 if (access(product_mapping_file.c_str(), F_OK) == -1) {
414 product_mapping_file.clear();
415 }
416
417 std::string vendor_policy_cil_file("/vendor/etc/selinux/vendor_sepolicy.cil");
418 if (access(vendor_policy_cil_file.c_str(), F_OK) == -1) {
419 LOG(ERROR) << "Missing " << vendor_policy_cil_file;
420 return false;
421 }
422
423 std::string plat_pub_versioned_cil_file("/vendor/etc/selinux/plat_pub_versioned.cil");
424 if (access(plat_pub_versioned_cil_file.c_str(), F_OK) == -1) {
425 LOG(ERROR) << "Missing " << plat_pub_versioned_cil_file;
426 return false;
427 }
428
429 // odm_sepolicy.cil is default but optional.
430 std::string odm_policy_cil_file("/odm/etc/selinux/odm_sepolicy.cil");
431 if (access(odm_policy_cil_file.c_str(), F_OK) == -1) {
432 odm_policy_cil_file.clear();
433 }
434
435 // apex_sepolicy.cil is default but optional.
436 std::string apex_policy_cil_file("/dev/selinux/apex_sepolicy.cil");
437 if (access(apex_policy_cil_file.c_str(), F_OK) == -1) {
438 apex_policy_cil_file.clear();
439 }
440 const std::string version_as_string = std::to_string(SEPOLICY_VERSION);
441
442 // clang-format off
443 std::vector<const char*> compile_args {
444 "/system/bin/secilc",
445 use_userdebug_policy ? *userdebug_plat_sepolicy : plat_policy_cil_file,
446 "-m", "-M", "true", "-G", "-N",
447 "-c", version_as_string.c_str(),
448 plat_mapping_file.c_str(),
449 "-o", compiled_sepolicy,
450 // We don't care about file_contexts output by the compiler
451 "-f", "/sys/fs/selinux/null", // /dev/null is not yet available
452 };
453 // clang-format on
454
455 if (!plat_compat_cil_file.empty()) {
456 compile_args.push_back(plat_compat_cil_file.c_str());
457 }
458 if (!system_ext_policy_cil_file.empty()) {
459 compile_args.push_back(system_ext_policy_cil_file.c_str());
460 }
461 if (!system_ext_mapping_file.empty()) {
462 compile_args.push_back(system_ext_mapping_file.c_str());
463 }
464 if (!system_ext_compat_cil_file.empty()) {
465 compile_args.push_back(system_ext_compat_cil_file.c_str());
466 }
467 if (!product_policy_cil_file.empty()) {
468 compile_args.push_back(product_policy_cil_file.c_str());
469 }
470 if (!product_mapping_file.empty()) {
471 compile_args.push_back(product_mapping_file.c_str());
472 }
473 if (!plat_pub_versioned_cil_file.empty()) {
474 compile_args.push_back(plat_pub_versioned_cil_file.c_str());
475 }
476 if (!vendor_policy_cil_file.empty()) {
477 compile_args.push_back(vendor_policy_cil_file.c_str());
478 }
479 if (!odm_policy_cil_file.empty()) {
480 compile_args.push_back(odm_policy_cil_file.c_str());
481 }
482 if (!apex_policy_cil_file.empty()) {
483 compile_args.push_back(apex_policy_cil_file.c_str());
484 }
485 compile_args.push_back(nullptr);
486
487 if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) {
488 unlink(compiled_sepolicy);
489 return false;
490 }
491 unlink(compiled_sepolicy);
492
493 policy_file->fd = std::move(compiled_sepolicy_fd);
494 policy_file->path = compiled_sepolicy;
495 return true;
496 }
497
OpenMonolithicPolicy(PolicyFile * policy_file)498 bool OpenMonolithicPolicy(PolicyFile* policy_file) {
499 static constexpr char kSepolicyFile[] = "/sepolicy";
500
501 LOG(VERBOSE) << "Opening SELinux policy from monolithic file";
502 policy_file->fd.reset(open(kSepolicyFile, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));
503 if (policy_file->fd < 0) {
504 PLOG(ERROR) << "Failed to open monolithic SELinux policy";
505 return false;
506 }
507 policy_file->path = kSepolicyFile;
508 return true;
509 }
510
511 constexpr const char* kSigningCertRelease =
512 "/system/etc/selinux/com.android.sepolicy.cert-release.der";
513 constexpr const char* kFsVerityProcPath = "/proc/sys/fs/verity";
514 const std::string kSepolicyApexMetadataDir = "/metadata/sepolicy/";
515 const std::string kSepolicyApexSystemDir = "/system/etc/selinux/apex/";
516 const std::string kSepolicyZip = "SEPolicy.zip";
517 const std::string kSepolicySignature = "SEPolicy.zip.sig";
518
519 const std::string kTmpfsDir = "/dev/selinux/";
520
521 // Files that are deleted after policy is compiled/loaded.
522 const std::vector<std::string> kApexSepolicyTmp{"apex_sepolicy.cil", "apex_sepolicy.sha256"};
523 // Files that need to persist because they are used by userspace processes.
524 const std::vector<std::string> kApexSepolicy{"apex_file_contexts", "apex_property_contexts",
525 "apex_service_contexts", "apex_seapp_contexts",
526 "apex_test"};
527
CreateTmpfsDir()528 Result<void> CreateTmpfsDir() {
529 mode_t mode = 0744;
530 struct stat stat_data;
531 if (stat(kTmpfsDir.c_str(), &stat_data) != 0) {
532 if (errno != ENOENT) {
533 return ErrnoError() << "Could not stat " << kTmpfsDir;
534 }
535 if (mkdir(kTmpfsDir.c_str(), mode) != 0) {
536 return ErrnoError() << "Could not mkdir " << kTmpfsDir;
537 }
538 } else {
539 if (!S_ISDIR(stat_data.st_mode)) {
540 return Error() << kTmpfsDir << " exists and is not a directory.";
541 }
542 LOG(WARNING) << "Directory " << kTmpfsDir << " already exists";
543 }
544
545 // Need to manually call chmod because mkdir will create a folder with
546 // permissions mode & ~umask.
547 if (chmod(kTmpfsDir.c_str(), mode) != 0) {
548 return ErrnoError() << "Could not chmod " << kTmpfsDir;
549 }
550
551 return {};
552 }
553
PutFileInTmpfs(ZipArchiveHandle archive,const std::string & fileName)554 Result<void> PutFileInTmpfs(ZipArchiveHandle archive, const std::string& fileName) {
555 ZipEntry entry;
556 std::string dstPath = kTmpfsDir + fileName;
557
558 int ret = FindEntry(archive, fileName, &entry);
559 if (ret != 0) {
560 // All files are optional. If a file doesn't exist, return without error.
561 return {};
562 }
563
564 unique_fd fd(TEMP_FAILURE_RETRY(
565 open(dstPath.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR)));
566 if (fd == -1) {
567 return ErrnoError() << "Failed to open " << dstPath;
568 }
569
570 ret = ExtractEntryToFile(archive, &entry, fd.get());
571 if (ret != 0) {
572 return Error() << "Failed to extract entry \"" << fileName << "\" ("
573 << entry.uncompressed_length << " bytes) to \"" << dstPath
574 << "\": " << ErrorCodeString(ret);
575 }
576
577 return {};
578 }
579
GetPolicyFromApex(const std::string & dir)580 Result<void> GetPolicyFromApex(const std::string& dir) {
581 LOG(INFO) << "Loading APEX Sepolicy from " << dir + kSepolicyZip;
582 unique_fd fd(open((dir + kSepolicyZip).c_str(), O_RDONLY | O_BINARY | O_CLOEXEC));
583 if (fd < 0) {
584 return ErrnoError() << "Failed to open package " << dir + kSepolicyZip;
585 }
586
587 ZipArchiveHandle handle;
588 int ret = OpenArchiveFd(fd.get(), (dir + kSepolicyZip).c_str(), &handle,
589 /*assume_ownership=*/false);
590 if (ret < 0) {
591 return Error() << "Failed to open package " << dir + kSepolicyZip << ": "
592 << ErrorCodeString(ret);
593 }
594
595 auto handle_guard = android::base::make_scope_guard([&handle] { CloseArchive(handle); });
596
597 auto create = CreateTmpfsDir();
598 if (!create.ok()) {
599 return create.error();
600 }
601
602 for (const auto& file : kApexSepolicy) {
603 auto extract = PutFileInTmpfs(handle, file);
604 if (!extract.ok()) {
605 return extract.error();
606 }
607 }
608 for (const auto& file : kApexSepolicyTmp) {
609 auto extract = PutFileInTmpfs(handle, file);
610 if (!extract.ok()) {
611 return extract.error();
612 }
613 }
614 return {};
615 }
616
LoadSepolicyApexCerts()617 Result<void> LoadSepolicyApexCerts() {
618 key_serial_t keyring_id = android::GetKeyringId(".fs-verity");
619 if (keyring_id < 0) {
620 return Error() << "Failed to find .fs-verity keyring id";
621 }
622
623 // TODO(b/199914227) the release key should always exist. Once it's checked in, start
624 // throwing an error here if it doesn't exist.
625 if (access(kSigningCertRelease, F_OK) == 0) {
626 LoadKeyFromFile(keyring_id, "fsv_sepolicy_apex_release", kSigningCertRelease);
627 }
628 return {};
629 }
630
SepolicyFsVerityCheck()631 Result<void> SepolicyFsVerityCheck() {
632 return Error() << "TODO implement support for fsverity SEPolicy.";
633 }
634
SepolicyCheckSignature(const std::string & dir)635 Result<void> SepolicyCheckSignature(const std::string& dir) {
636 std::string signature;
637 if (!android::base::ReadFileToString(dir + kSepolicySignature, &signature)) {
638 return ErrnoError() << "Failed to read " << kSepolicySignature;
639 }
640
641 std::fstream sepolicyZip(dir + kSepolicyZip, std::ios::in | std::ios::binary);
642 if (!sepolicyZip) {
643 return Error() << "Failed to open " << kSepolicyZip;
644 }
645 sepolicyZip.seekg(0);
646 std::string sepolicyStr((std::istreambuf_iterator<char>(sepolicyZip)),
647 std::istreambuf_iterator<char>());
648
649 auto releaseKey = extractPublicKeyFromX509(kSigningCertRelease);
650 if (!releaseKey.ok()) {
651 return releaseKey.error();
652 }
653
654 return verifySignature(sepolicyStr, signature, *releaseKey);
655 }
656
SepolicyVerify(const std::string & dir,bool supportsFsVerity)657 Result<void> SepolicyVerify(const std::string& dir, bool supportsFsVerity) {
658 if (supportsFsVerity) {
659 auto fsVerityCheck = SepolicyFsVerityCheck();
660 if (fsVerityCheck.ok()) {
661 return fsVerityCheck;
662 }
663 // TODO(b/199914227) If the device supports fsverity, but we fail here, we should fail to
664 // boot and not carry on. For now, fallback to a signature checkuntil the fsverity
665 // logic is implemented.
666 LOG(INFO) << "Falling back to standard signature check. " << fsVerityCheck.error();
667 }
668
669 auto sepolicySignature = SepolicyCheckSignature(dir);
670 if (!sepolicySignature.ok()) {
671 return Error() << "Apex SEPolicy failed signature check";
672 }
673 return {};
674 }
675
CleanupApexSepolicy()676 void CleanupApexSepolicy() {
677 for (const auto& file : kApexSepolicyTmp) {
678 std::string path = kTmpfsDir + file;
679 unlink(path.c_str());
680 }
681 }
682
683 // Updatable sepolicy is shipped within an zip within an APEX. Because
684 // it needs to be available before Apexes are mounted, apexd copies
685 // the zip from the APEX and stores it in /metadata/sepolicy. If there is
686 // no updatable sepolicy in /metadata/sepolicy, then the updatable policy is
687 // loaded from /system/etc/selinux/apex. Init performs the following
688 // steps on boot:
689 //
690 // 1. Validates the zip by checking its signature against a public key that is
691 // stored in /system/etc/selinux.
692 // 2. Extracts files from zip and stores them in /dev/selinux.
693 // 3. Checks if the apex_sepolicy.sha256 matches the sha256 of precompiled_sepolicy.
694 // if so, the precompiled sepolicy is used. Otherwise, an on-device compile of the policy
695 // is used. This is the same flow as on-device compilation of policy for Treble.
696 // 4. Cleans up files in /dev/selinux which are no longer needed.
697 // 5. Restorecons the remaining files in /dev/selinux.
698 // 6. Sets selinux into enforcing mode and continues normal booting.
699 //
PrepareApexSepolicy()700 void PrepareApexSepolicy() {
701 bool supportsFsVerity = access(kFsVerityProcPath, F_OK) == 0;
702 if (supportsFsVerity) {
703 auto loadSepolicyApexCerts = LoadSepolicyApexCerts();
704 if (!loadSepolicyApexCerts.ok()) {
705 // TODO(b/199914227) If the device supports fsverity, but we fail here, we should fail
706 // to boot and not carry on. For now, fallback to a signature checkuntil the fsverity
707 // logic is implemented.
708 LOG(INFO) << loadSepolicyApexCerts.error();
709 }
710 }
711 // If apex sepolicy zip exists in /metadata/sepolicy, use that, otherwise use version on
712 // /system.
713 auto dir = (access((kSepolicyApexMetadataDir + kSepolicyZip).c_str(), F_OK) == 0)
714 ? kSepolicyApexMetadataDir
715 : kSepolicyApexSystemDir;
716
717 auto sepolicyVerify = SepolicyVerify(dir, supportsFsVerity);
718 if (!sepolicyVerify.ok()) {
719 LOG(INFO) << "Error: " << sepolicyVerify.error();
720 // If signature verification fails, fall back to version on /system.
721 // This file doesn't need to be verified because it lives on the system partition which
722 // is signed and protected by verified boot.
723 dir = kSepolicyApexSystemDir;
724 }
725
726 auto apex = GetPolicyFromApex(dir);
727 if (!apex.ok()) {
728 // TODO(b/199914227) Make failure fatal. For now continue booting with non-apex sepolicy.
729 LOG(ERROR) << apex.error();
730 }
731 }
732
ReadPolicy(std::string * policy)733 void ReadPolicy(std::string* policy) {
734 PolicyFile policy_file;
735
736 bool ok = IsSplitPolicyDevice() ? OpenSplitPolicy(&policy_file)
737 : OpenMonolithicPolicy(&policy_file);
738 if (!ok) {
739 LOG(FATAL) << "Unable to open SELinux policy";
740 }
741
742 if (!android::base::ReadFdToString(policy_file.fd, policy)) {
743 PLOG(FATAL) << "Failed to read policy file: " << policy_file.path;
744 }
745 }
746
SelinuxSetEnforcement()747 void SelinuxSetEnforcement() {
748 bool kernel_enforcing = (security_getenforce() == 1);
749 bool is_enforcing = IsEnforcing();
750 if (kernel_enforcing != is_enforcing) {
751 if (security_setenforce(is_enforcing)) {
752 PLOG(FATAL) << "security_setenforce(" << (is_enforcing ? "true" : "false")
753 << ") failed";
754 }
755 }
756
757 if (auto result = WriteFile("/sys/fs/selinux/checkreqprot", "0"); !result.ok()) {
758 LOG(FATAL) << "Unable to write to /sys/fs/selinux/checkreqprot: " << result.error();
759 }
760 }
761
762 constexpr size_t kKlogMessageSize = 1024;
763
SelinuxAvcLog(char * buf)764 void SelinuxAvcLog(char* buf) {
765 struct NetlinkMessage {
766 nlmsghdr hdr;
767 char buf[kKlogMessageSize];
768 } request = {};
769
770 request.hdr.nlmsg_flags = NLM_F_REQUEST;
771 request.hdr.nlmsg_type = AUDIT_USER_AVC;
772 request.hdr.nlmsg_len = sizeof(request);
773 strlcpy(request.buf, buf, sizeof(request.buf));
774
775 auto fd = unique_fd{socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT)};
776 if (!fd.ok()) {
777 return;
778 }
779
780 TEMP_FAILURE_RETRY(send(fd.get(), &request, sizeof(request), 0));
781 }
782
783 } // namespace
784
SelinuxRestoreContext()785 void SelinuxRestoreContext() {
786 LOG(INFO) << "Running restorecon...";
787 selinux_android_restorecon("/dev", 0);
788 selinux_android_restorecon("/dev/console", 0);
789 selinux_android_restorecon("/dev/kmsg", 0);
790 if constexpr (WORLD_WRITABLE_KMSG) {
791 selinux_android_restorecon("/dev/kmsg_debug", 0);
792 }
793 selinux_android_restorecon("/dev/null", 0);
794 selinux_android_restorecon("/dev/ptmx", 0);
795 selinux_android_restorecon("/dev/socket", 0);
796 selinux_android_restorecon("/dev/random", 0);
797 selinux_android_restorecon("/dev/urandom", 0);
798 selinux_android_restorecon("/dev/__properties__", 0);
799
800 selinux_android_restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);
801 selinux_android_restorecon("/dev/dm-user", SELINUX_ANDROID_RESTORECON_RECURSE);
802 selinux_android_restorecon("/dev/device-mapper", 0);
803
804 selinux_android_restorecon("/apex", 0);
805
806 selinux_android_restorecon("/linkerconfig", 0);
807
808 // adb remount, snapshot-based updates, and DSUs all create files during
809 // first-stage init.
810 selinux_android_restorecon(SnapshotManager::GetGlobalRollbackIndicatorPath().c_str(), 0);
811 selinux_android_restorecon("/metadata/gsi", SELINUX_ANDROID_RESTORECON_RECURSE |
812 SELINUX_ANDROID_RESTORECON_SKIP_SEHASH);
813 }
814
SelinuxKlogCallback(int type,const char * fmt,...)815 int SelinuxKlogCallback(int type, const char* fmt, ...) {
816 android::base::LogSeverity severity = android::base::ERROR;
817 if (type == SELINUX_WARNING) {
818 severity = android::base::WARNING;
819 } else if (type == SELINUX_INFO) {
820 severity = android::base::INFO;
821 }
822 char buf[kKlogMessageSize];
823 va_list ap;
824 va_start(ap, fmt);
825 int length_written = vsnprintf(buf, sizeof(buf), fmt, ap);
826 va_end(ap);
827 if (length_written <= 0) {
828 return 0;
829 }
830
831 // libselinux log messages usually contain a new line character, while
832 // Android LOG() does not expect it. Remove it to avoid empty lines in
833 // the log buffers.
834 size_t str_len = strlen(buf);
835 if (buf[str_len - 1] == '\n') {
836 buf[str_len - 1] = '\0';
837 }
838
839 if (type == SELINUX_AVC) {
840 SelinuxAvcLog(buf);
841 } else {
842 android::base::KernelLogger(android::base::MAIN, severity, "selinux", nullptr, 0, buf);
843 }
844 return 0;
845 }
846
SelinuxSetupKernelLogging()847 void SelinuxSetupKernelLogging() {
848 selinux_callback cb;
849 cb.func_log = SelinuxKlogCallback;
850 selinux_set_callback(SELINUX_CB_LOG, cb);
851 }
852
SelinuxGetVendorAndroidVersion()853 int SelinuxGetVendorAndroidVersion() {
854 static int vendor_android_version = [] {
855 if (!IsSplitPolicyDevice()) {
856 // If this device does not split sepolicy files, it's not a Treble device and therefore,
857 // we assume it's always on the latest platform.
858 return __ANDROID_API_FUTURE__;
859 }
860
861 std::string version;
862 if (!GetVendorMappingVersion(&version)) {
863 LOG(FATAL) << "Could not read vendor SELinux version";
864 }
865
866 int major_version;
867 std::string major_version_str(version, 0, version.find('.'));
868 if (!ParseInt(major_version_str, &major_version)) {
869 PLOG(FATAL) << "Failed to parse the vendor sepolicy major version "
870 << major_version_str;
871 }
872
873 return major_version;
874 }();
875 return vendor_android_version;
876 }
877
878 // This is for R system.img/system_ext.img to work on old vendor.img as system_ext.img
879 // is introduced in R. We mount system_ext in second stage init because the first-stage
880 // init in boot.img won't be updated in the system-only OTA scenario.
MountMissingSystemPartitions()881 void MountMissingSystemPartitions() {
882 android::fs_mgr::Fstab fstab;
883 if (!ReadDefaultFstab(&fstab)) {
884 LOG(ERROR) << "Could not read default fstab";
885 }
886
887 android::fs_mgr::Fstab mounts;
888 if (!ReadFstabFromFile("/proc/mounts", &mounts)) {
889 LOG(ERROR) << "Could not read /proc/mounts";
890 }
891
892 static const std::vector<std::string> kPartitionNames = {"system_ext", "product"};
893
894 android::fs_mgr::Fstab extra_fstab;
895 for (const auto& name : kPartitionNames) {
896 if (GetEntryForMountPoint(&mounts, "/"s + name)) {
897 // The partition is already mounted.
898 continue;
899 }
900
901 auto system_entries = GetEntriesForMountPoint(&fstab, "/system");
902 for (auto& system_entry : system_entries) {
903 if (!system_entry) {
904 LOG(ERROR) << "Could not find mount entry for /system";
905 break;
906 }
907 if (!system_entry->fs_mgr_flags.logical) {
908 LOG(INFO) << "Skipping mount of " << name << ", system is not dynamic.";
909 break;
910 }
911
912 auto entry = *system_entry;
913 auto partition_name = name + fs_mgr_get_slot_suffix();
914 auto replace_name = "system"s + fs_mgr_get_slot_suffix();
915
916 entry.mount_point = "/"s + name;
917 entry.blk_device =
918 android::base::StringReplace(entry.blk_device, replace_name, partition_name, false);
919 if (!fs_mgr_update_logical_partition(&entry)) {
920 LOG(ERROR) << "Could not update logical partition";
921 continue;
922 }
923
924 extra_fstab.emplace_back(std::move(entry));
925 }
926 }
927
928 SkipMountingPartitions(&extra_fstab, true /* verbose */);
929 if (extra_fstab.empty()) {
930 return;
931 }
932
933 BlockDevInitializer block_dev_init;
934 for (auto& entry : extra_fstab) {
935 if (access(entry.blk_device.c_str(), F_OK) != 0) {
936 auto block_dev = android::base::Basename(entry.blk_device);
937 if (!block_dev_init.InitDmDevice(block_dev)) {
938 LOG(ERROR) << "Failed to find device-mapper node: " << block_dev;
939 continue;
940 }
941 }
942 if (fs_mgr_do_mount_one(entry)) {
943 LOG(ERROR) << "Could not mount " << entry.mount_point;
944 }
945 }
946 }
947
LoadSelinuxPolicy(std::string & policy)948 static void LoadSelinuxPolicy(std::string& policy) {
949 LOG(INFO) << "Loading SELinux policy";
950
951 set_selinuxmnt("/sys/fs/selinux");
952 if (security_load_policy(policy.data(), policy.size()) < 0) {
953 PLOG(FATAL) << "SELinux: Could not load policy";
954 }
955 }
956
957 // The SELinux setup process is carefully orchestrated around snapuserd. Policy
958 // must be loaded off dynamic partitions, and during an OTA, those partitions
959 // cannot be read without snapuserd. But, with kernel-privileged snapuserd
960 // running, loading the policy will immediately trigger audits.
961 //
962 // We use a five-step process to address this:
963 // (1) Read the policy into a string, with snapuserd running.
964 // (2) Rewrite the snapshot device-mapper tables, to generate new dm-user
965 // devices and to flush I/O.
966 // (3) Kill snapuserd, which no longer has any dm-user devices to attach to.
967 // (4) Load the sepolicy and issue critical restorecons in /dev, carefully
968 // avoiding anything that would read from /system.
969 // (5) Re-launch snapuserd and attach it to the dm-user devices from step (2).
970 //
971 // After this sequence, it is safe to enable enforcing mode and continue booting.
SetupSelinux(char ** argv)972 int SetupSelinux(char** argv) {
973 SetStdioToDevNull(argv);
974 InitKernelLogging(argv);
975
976 if (REBOOT_BOOTLOADER_ON_PANIC) {
977 InstallRebootSignalHandlers();
978 }
979
980 boot_clock::time_point start_time = boot_clock::now();
981
982 MountMissingSystemPartitions();
983
984 SelinuxSetupKernelLogging();
985
986 LOG(INFO) << "Opening SELinux policy";
987
988 PrepareApexSepolicy();
989
990 // Read the policy before potentially killing snapuserd.
991 std::string policy;
992 ReadPolicy(&policy);
993 CleanupApexSepolicy();
994
995 auto snapuserd_helper = SnapuserdSelinuxHelper::CreateIfNeeded();
996 if (snapuserd_helper) {
997 // Kill the old snapused to avoid audit messages. After this we cannot
998 // read from /system (or other dynamic partitions) until we call
999 // FinishTransition().
1000 snapuserd_helper->StartTransition();
1001 }
1002
1003 LoadSelinuxPolicy(policy);
1004
1005 if (snapuserd_helper) {
1006 // Before enforcing, finish the pending snapuserd transition.
1007 snapuserd_helper->FinishTransition();
1008 snapuserd_helper = nullptr;
1009 }
1010
1011 // This restorecon is intentionally done before SelinuxSetEnforcement because the permissions
1012 // needed to transition files from tmpfs to *_contexts_file context should not be granted to
1013 // any process after selinux is set into enforcing mode.
1014 if (selinux_android_restorecon("/dev/selinux/", SELINUX_ANDROID_RESTORECON_RECURSE) == -1) {
1015 PLOG(FATAL) << "restorecon failed of /dev/selinux failed";
1016 }
1017
1018 SelinuxSetEnforcement();
1019
1020 // We're in the kernel domain and want to transition to the init domain. File systems that
1021 // store SELabels in their xattrs, such as ext4 do not need an explicit restorecon here,
1022 // but other file systems do. In particular, this is needed for ramdisks such as the
1023 // recovery image for A/B devices.
1024 if (selinux_android_restorecon("/system/bin/init", 0) == -1) {
1025 PLOG(FATAL) << "restorecon failed of /system/bin/init failed";
1026 }
1027
1028 setenv(kEnvSelinuxStartedAt, std::to_string(start_time.time_since_epoch().count()).c_str(), 1);
1029
1030 const char* path = "/system/bin/init";
1031 const char* args[] = {path, "second_stage", nullptr};
1032 execv(path, const_cast<char**>(args));
1033
1034 // execv() only returns if an error happened, in which case we
1035 // panic and never return from this function.
1036 PLOG(FATAL) << "execv(\"" << path << "\") failed";
1037
1038 return 1;
1039 }
1040
1041 } // namespace init
1042 } // namespace android
1043