Google Git
Sign in
android / platform / external / selinux / 4a792614521f82ffa73448483071925a2b77315b^! / .
commit4a792614521f82ffa73448483071925a2b77315b[log] [tgz]
authorNick Kralevich <[email protected]>Thu Apr 04 16:14:08 2019 -0700
committerNick Kralevich <[email protected]>Fri Apr 05 09:52:16 2019 -0700
treeb45e839df31d046e0f9262db2f799f9f633b4b2c
parent5e34461434e8724ddf0ff0de5178486777b4319c [diff]
add SELINUX_ANDROID_RESTORECON_SKIP_SEHASH

Allow callers to indicate that they don't want to compute the sehash
value. Callers may not have CAP_SYS_ADMIN, so attempting to write the
sehash value will result in the following (harmless) errors:

  SELinux:  setxattr failed: /data/app/com.andromeda.androbench2-z5oLVfPATqQF35yGDuMUeA==:  Operation not permitted

TODO: It would be better if the default for restorecon was to suppress
the hash computation, since otherwise it encourages programs to be
overprivileged with CAP_SYS_ADMIN. I'll plan on doing that in a followup
commit.

Bugs where this error message has been called out:
Bug: 129766333
Bug: 129271240
Bug: 128700692
Bug: 129925723

Test: install an APK and ensure that no "SELinux:  setxattr failed"
    error messages are generated.

(cherry picked from commit 3060b61d412fa30e91fb13dd29b82d994143aa30)

Change-Id: Iddfb221354ee6336c6ef99d7950b9d1a1a07d5ac

diff --git a/libselinux/include/selinux/android.h b/libselinux/include/selinux/android.h
index 556cbbe..99fc9ef 100644
--- a/libselinux/include/selinux/android.h
+++ b/libselinux/include/selinux/android.h

@@ -53,6 +53,7 @@
 #define SELINUX_ANDROID_RESTORECON_DATADATA 16
 #define SELINUX_ANDROID_RESTORECON_SKIPCE   32
 #define SELINUX_ANDROID_RESTORECON_CROSS_FILESYSTEMS   64
+#define SELINUX_ANDROID_RESTORECON_SKIP_SEHASH         128
 extern int selinux_android_restorecon(const char *file, unsigned int flags);
 
 extern int selinux_android_restorecon_pkgdir(const char *pkgdir,

diff --git a/libselinux/src/android/android_platform.c b/libselinux/src/android/android_platform.c
index 555b2b0..c0e6044 100644
--- a/libselinux/src/android/android_platform.c
+++ b/libselinux/src/android/android_platform.c

@@ -1569,8 +1569,8 @@
     bool datadata = (flags & SELINUX_ANDROID_RESTORECON_DATADATA) ? true : false;
     bool skipce = (flags & SELINUX_ANDROID_RESTORECON_SKIPCE) ? true : false;
     bool cross_filesystems = (flags & SELINUX_ANDROID_RESTORECON_CROSS_FILESYSTEMS) ? true : false;
+    bool setrestoreconlast = (flags & SELINUX_ANDROID_RESTORECON_SKIP_SEHASH) ? false : true;
     bool issys;
-    bool setrestoreconlast = true;
     struct stat sb;
     struct statfs sfsb;
     FTS *fts;