Restorecon artifact dirs and files correctly.

The restorecon has to be done after all the files are created, so that the SELinux context is applied to all of them. Also, before this change, artd does a restorecon on the ISA dir without seinfo, which is wrong, and this change fixes it. Bug: 262230400 Test: - 1. adb shell pm art optimize-package -m verify -f --secondary-dex com.google.android.gms 2. No longer see SELinux complaining about artd trying to read packages.list. 3. See all dirs and files having the right SELinux context. Ignore-AOSP-First: ART Services. Change-Id: Iadaf1f1723819061c9e91aa8f0885b272d44c64f
author: Jiakai Zhang <jiakaiz@google.com> 2022-12-20 13:29:13 +0000
committer: Jiakai Zhang <jiakaiz@google.com> 2023-01-03 19:16:27 +0000
commit: 1df1cc3285f2c8af5f345bcbf0a2323b17d2299d (patch)
tree: 16918158befb3d20f4098abe0516f54ef935d713 /artd
parent: ac9c2bd8155d8a087ad3050f2ac2531d545084bb (diff)
1 files changed, 33 insertions, 25 deletions
diff --git a/artd/artd.cc b/artd/artd.cc
index 2e55537dae..c41e9d5d86 100644
--- a/artd/artd.cc
+++ b/artd/artd.cc
@@ -212,11 +212,7 @@ ArtifactsLocation ArtifactsLocationToAidl(OatFileAssistant::Location location) {
   LOG(FATAL) << "Unexpected Location " << location;
 }
 
-Result<void> PrepareArtifactsDir(
-    const std::string& path,
-    const FsPermission& fs_permission,
-    const std::optional<OutputArtifacts::PermissionSettings::SeContext>& se_context =
-        std::nullopt) {
+Result<void> PrepareArtifactsDir(const std::string& path, const FsPermission& fs_permission) {
   std::error_code ec;
   bool created = std::filesystem::create_directory(path, ec);
   if (ec) {
@@ -234,26 +230,12 @@ Result<void> PrepareArtifactsDir(
   }
   OR_RETURN(Chown(path, fs_permission));
 
-  if (kIsTargetAndroid) {
-    int res = 0;
-    if (se_context.has_value()) {
-      res = selinux_android_restorecon_pkgdir(path.c_str(),
-                                              se_context->seInfo.c_str(),
-                                              se_context->uid,
-                                              SELINUX_ANDROID_RESTORECON_RECURSE);
-    } else {
-      res = selinux_android_restorecon(path.c_str(), SELINUX_ANDROID_RESTORECON_RECURSE);
-    }
-    if (res != 0) {
-      return ErrnoErrorf("Failed to restorecon directory '{}'", path);
-    }
-  }
-
   cleanup.Disable();
   return {};
 }
 
-Result<void> PrepareArtifactsDirs(const OutputArtifacts& output_artifacts) {
+Result<void> PrepareArtifactsDirs(const OutputArtifacts& output_artifacts,
+                                  /*out*/ std::string* oat_dir_path) {
   if (output_artifacts.artifactsPath.isInDalvikCache) {
     return {};
   }
@@ -263,10 +245,31 @@ Result<void> PrepareArtifactsDirs(const OutputArtifacts& output_artifacts) {
   std::filesystem::path oat_dir = isa_dir.parent_path();
   DCHECK_EQ(oat_dir.filename(), "oat");
 
-  OR_RETURN(PrepareArtifactsDir(oat_dir,
-                                output_artifacts.permissionSettings.dirFsPermission,
-                                output_artifacts.permissionSettings.seContext));
+  OR_RETURN(PrepareArtifactsDir(oat_dir, output_artifacts.permissionSettings.dirFsPermission));
   OR_RETURN(PrepareArtifactsDir(isa_dir, output_artifacts.permissionSettings.dirFsPermission));
+  *oat_dir_path = oat_dir;
+  return {};
+}
+
+Result<void> Restorecon(
+    const std::string& path,
+    const std::optional<OutputArtifacts::PermissionSettings::SeContext>& se_context) {
+  if (!kIsTargetAndroid) {
+    return {};
+  }
+
+  int res = 0;
+  if (se_context.has_value()) {
+    res = selinux_android_restorecon_pkgdir(path.c_str(),
+                                            se_context->seInfo.c_str(),
+                                            se_context->uid,
+                                            SELINUX_ANDROID_RESTORECON_RECURSE);
+  } else {
+    res = selinux_android_restorecon(path.c_str(), SELINUX_ANDROID_RESTORECON_RECURSE);
+  }
+  if (res != 0) {
+    return ErrnoErrorf("Failed to restorecon directory '{}'", path);
+  }
   return {};
 }
 
@@ -766,7 +769,8 @@ ndk::ScopedAStatus Artd::dexopt(
     }
   }
 
-  OR_RETURN_NON_FATAL(PrepareArtifactsDirs(in_outputArtifacts));
+  std::string oat_dir_path;
+  OR_RETURN_NON_FATAL(PrepareArtifactsDirs(in_outputArtifacts, &oat_dir_path));
 
   CmdlineBuilder args;
   args.Add(OR_RETURN_FATAL(GetArtExec())).Add("--drop-capabilities");
@@ -889,6 +893,10 @@ ndk::ScopedAStatus Artd::dexopt(
     // TODO(b/260228411): Check uid and gid.
   }
 
+  // Restorecon after the output files are created, so that the SELinux context is applied to all of
+  // them.
+  OR_RETURN_NON_FATAL(Restorecon(oat_dir_path, in_outputArtifacts.permissionSettings.seContext));
+
   AddBootImageFlags(args);
   AddCompilerConfigFlags(
       in_instructionSet, in_compilerFilter, in_priorityClass, in_dexoptOptions, args);
author	Jiakai Zhang <jiakaiz@google.com>	2022-12-20 13:29:13 +0000
committer	Jiakai Zhang <jiakaiz@google.com>	2023-01-03 19:16:27 +0000
commit	1df1cc3285f2c8af5f345bcbf0a2323b17d2299d (patch)
tree	16918158befb3d20f4098abe0516f54ef935d713 /artd
parent	ac9c2bd8155d8a087ad3050f2ac2531d545084bb (diff)