191 lines
4.7 KiB
Diff
Executable File
191 lines
4.7 KiB
Diff
Executable File
--- a/CMakeLists.txt 2017-11-27 20:08:14.961623274 +0800
|
|
+++ b/CMakeLists.txt 2017-11-27 15:13:34.564869828 +0800
|
|
@@ -45,6 +45,10 @@
|
|
add_subdirectory(upgraded)
|
|
ENDIF()
|
|
|
|
+IF(SELINUX_ENABLED)
|
|
+ ADD_DEFINITIONS(-DSELINUX_ENABLED)
|
|
+ENDIF()
|
|
+
|
|
ADD_EXECUTABLE(procd ${SOURCES})
|
|
TARGET_LINK_LIBRARIES(procd ${LIBS})
|
|
INSTALL(TARGETS procd
|
|
--- a/initd/init.c 2018-02-09 09:50:41.744091527 +0800
|
|
+++ b/initd/init.c 2018-02-09 09:52:41.000000000 +0800
|
|
@@ -29,6 +29,13 @@
|
|
#include <unistd.h>
|
|
#include <stdio.h>
|
|
|
|
+#if SELINUX_ENABLED
|
|
+#include <selinux/selinux.h>
|
|
+#include <selinux/label.h>
|
|
+#include <selinux/restorecon.h>
|
|
+#include <ftw.h>
|
|
+#endif
|
|
+
|
|
#include "../utils/utils.h"
|
|
#include "init.h"
|
|
#include "../watchdog.h"
|
|
@@ -67,6 +74,92 @@
|
|
}
|
|
}
|
|
|
|
+#if SELINUX_ENABLED
|
|
+static const struct selinux_opt se_opts[] = {
|
|
+ { SELABEL_OPT_PATH, "/etc/selinux/targeted/contexts/files/file_contexts" },
|
|
+ { 0, NULL } };
|
|
+
|
|
+struct selabel_handle *sehandle = NULL;
|
|
+
|
|
+static int restorecon(const char *pathname)
|
|
+{
|
|
+ char *secontext = NULL;
|
|
+ struct stat sb;
|
|
+
|
|
+ if (is_selinux_enabled() <= 0 || !sehandle)
|
|
+ return 0;
|
|
+
|
|
+ if (lstat(pathname, &sb) < 0) {
|
|
+ return -errno;
|
|
+ }
|
|
+ if (selabel_lookup(sehandle, &secontext, pathname, sb.st_mode) < 0)
|
|
+ return -errno;
|
|
+ if (lsetfilecon(pathname, secontext) < 0) {
|
|
+ freecon(secontext);
|
|
+ return -errno;
|
|
+ }
|
|
+
|
|
+ freecon(secontext);
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int nftw_restorecon(const char* filename, const struct stat* statptr,
|
|
+ int fileflags, struct FTW* pftw)
|
|
+{
|
|
+ restorecon(filename);
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+int restorecon_recursive(const char* pathname)
|
|
+{
|
|
+ int fd_limit = 20;
|
|
+ int flags = FTW_DEPTH | FTW_MOUNT | FTW_PHYS;
|
|
+ return nftw(pathname, nftw_restorecon, fd_limit, flags);
|
|
+}
|
|
+
|
|
+static int procd_selinux_init()
|
|
+{
|
|
+ int enforce = 0;
|
|
+ int ret = 0;
|
|
+ if (getenv("SELINUX_INIT") == NULL) {
|
|
+ putenv((char*)"SELINUX_INIT=YES");
|
|
+
|
|
+ // load policy
|
|
+ if (selinux_init_load_policy(&enforce) == 0)
|
|
+ fprintf(stdout, "SELinux policy load success!\n");
|
|
+ else if (enforce > 0) {
|
|
+ /* SELinux in enforcing mode but load_policy failed */
|
|
+ fprintf(stderr, "can't load SELinux Policy. "
|
|
+ "Machine is in enforcing mode. Halting now.\n");
|
|
+ return EXIT_FAILURE;
|
|
+ }
|
|
+
|
|
+ // set init process security context to u:r:init:s0
|
|
+ if (setcon("u:r:init:s0") == 0)
|
|
+ fprintf(stdout, "set init context success!\n");
|
|
+ else
|
|
+ fprintf(stderr, "set init context error!");
|
|
+
|
|
+ // load file_contexts
|
|
+ sehandle = selabel_open(SELABEL_CTX_FILE, se_opts, 1);
|
|
+ if (!sehandle)
|
|
+ fprintf(stderr, "Error getting file context handle\n");
|
|
+ else
|
|
+ fprintf(stdout, "%s load success!\n", se_opts[0].value);
|
|
+
|
|
+ // restore contexts
|
|
+ ret = selinux_restorecon("/dev", SELINUX_RESTORECON_RECURSE | \
|
|
+ SELINUX_RESTORECON_PROGRESS | \
|
|
+ SELINUX_RESTORECON_MASS_RELABEL | \
|
|
+ SELINUX_RESTORECON_IGNORE_NOENTRY);
|
|
+ if (ret < 0)
|
|
+ fprintf(stdout, "selinux_restorecon /dev failed\n");
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+#endif
|
|
+
|
|
int
|
|
main(int argc, char **argv)
|
|
{
|
|
@@ -80,6 +173,11 @@
|
|
cmdline();
|
|
watchdog_init(1);
|
|
|
|
+#if SELINUX_ENABLED
|
|
+ if (procd_selinux_init() != 0)
|
|
+ return EXIT_FAILURE;
|
|
+#endif
|
|
+
|
|
uloop_init();
|
|
preinit();
|
|
uloop_run();
|
|
diff -Naur a/initd/init.h b/initd/init.h
|
|
--- a/initd/init.h 2016-02-24 14:42:23.000000000 +0800
|
|
+++ b/initd/init.h 2018-02-09 09:54:11.000000000 +0800
|
|
@@ -33,4 +33,9 @@
|
|
return -ENOSYS;
|
|
}
|
|
#endif
|
|
+
|
|
+#if SELINUX_ENABLED
|
|
+int restorecon_recursive(const char* pathname);
|
|
+#endif
|
|
+
|
|
#endif
|
|
diff -Naur a/initd/preinit.c b/initd/preinit.c
|
|
--- a/initd/preinit.c 2018-02-09 09:50:41.744091527 +0800
|
|
+++ b/initd/preinit.c 2018-02-09 09:53:33.000000000 +0800
|
|
@@ -82,6 +82,9 @@
|
|
static void
|
|
kmodloader_cb(struct uloop_process *proc, int ret)
|
|
{
|
|
+#if SELINUX_ENABLED
|
|
+ restorecon_recursive("/dev");
|
|
+#endif
|
|
#if BOOT_PLAY == 2
|
|
char *boot_play_cmd[] = {"/sbin/boot-play", "boot", NULL};
|
|
|
|
diff -Naur a/plug/coldplug.c b/plug/coldplug.c
|
|
--- a/plug/coldplug.c 2016-02-24 14:42:23.000000000 +0800
|
|
+++ b/plug/coldplug.c 2018-02-09 09:53:15.000000000 +0800
|
|
@@ -45,7 +45,12 @@
|
|
|
|
umount2("/dev/pts", MNT_DETACH);
|
|
umount2("/dev/", MNT_DETACH);
|
|
+
|
|
+#if SELINUX_ENABLED
|
|
+ mount("devtmpfs", "/dev", "devtmpfs", MS_NOSUID, "mode=0755,size=512K");
|
|
+#else
|
|
mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755,size=512K");
|
|
+#endif
|
|
ignore(symlink("/tmp/shm", "/dev/shm"));
|
|
mkdir("/dev/pts", 0755);
|
|
umask(oldumask);
|
|
diff -Naur a/initd/early.c b/initd/early.c
|
|
--- a/initd/early.c 2018-08-30 09:07:17.832175983 +0800
|
|
+++ b/initd/early.c 2018-08-30 09:08:21.564178699 +0800
|
|
@@ -88,7 +88,11 @@
|
|
}
|
|
|
|
if (exist == 0)
|
|
+#if SELINUX_ENABLED
|
|
+ mount("devtmpfs", "/dev", "devtmpfs", MS_NOATIME | MS_NOSUID, "mode=0755,size=512K");
|
|
+#else
|
|
mount("tmpfs", "/dev", "tmpfs", MS_NOATIME | MS_NOSUID, "mode=0755,size=512K");
|
|
+#endif
|
|
return;
|
|
}
|