Merge "SELinux labels bug logging and workaround" into tm-dev am: a9cdc4a888 am: 8063d3ad8a

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/18281657 Change-Id: I740d9e22609a6f26c1bfb29d7707f93fb280040e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Yurii Zubrytskyi <zyy@google.com> 2022-05-15 23:29:49 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-05-15 23:29:49 +0000
commit: 15f33649a5df94cec4152710125a37fd55290cb0 (patch)
tree: c8913ac6abdec9af9c700f9dd996ea4ea1f7559b
parent: 55b9921cba98df6aae4603b66d0d2f70bfcc5376 (diff)
parent: 8063d3ad8aa0a0e1e018932527a23167ab5427a6 (diff)
3 files changed, 46 insertions, 3 deletions
diff --git a/services/core/java/com/android/server/pm/FileInstallArgs.java b/services/core/java/com/android/server/pm/FileInstallArgs.java
index 85c3cc91ecf0..e3ceccd1abb8 100644
--- a/services/core/java/com/android/server/pm/FileInstallArgs.java
+++ b/services/core/java/com/android/server/pm/FileInstallArgs.java
@@ -172,9 +172,22 @@ class FileInstallArgs extends InstallArgs {
             return false;
         }
 
-        if (!onIncremental && !SELinux.restoreconRecursive(afterCodeFile)) {
-            Slog.w(TAG, "Failed to restorecon");
-            return false;
+        if (onIncremental) {
+            Slog.i(TAG, PackageManagerServiceUtils.SELINUX_BUG
+                    + ": Skipping restorecon for Incremental install of " + beforeCodeFile);
+        } else {
+            try {
+                if (!SELinux.restoreconRecursive(afterCodeFile)) {
+                    Slog.w(TAG, "Failed to restorecon");
+                    return false;
+                }
+                PackageManagerServiceUtils.verifySelinuxLabels(afterCodeFile.getAbsolutePath());
+            } catch (Exception e) {
+                Slog.e(TAG,
+                        PackageManagerServiceUtils.SELINUX_BUG + ": Exception from restorecon on "
+                                + beforeCodeFile, e);
+                throw e;
+            }
         }
 
         // Reflect the rename internally
diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
index 2d8d4f588192..7932897f295a 100644
--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
+++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
@@ -648,6 +648,10 @@ final class InstallPackageHelper {
             Log.v(TAG, "restoreAndPostInstall userId=" + userId + " package=" + res.mPkg);
         }
 
+        if (res.mPkg != null) {
+            PackageManagerServiceUtils.verifySelinuxLabels(res.mPkg.getPath());
+        }
+
         // A restore should be requested at this point if (a) the install
         // succeeded, (b) the operation is not an update.
         final boolean update = res.mRemovedInfo != null
@@ -3566,6 +3570,7 @@ final class InstallPackageHelper {
             @ParsingPackageUtils.ParseFlags int parseFlags,
             @PackageManagerService.ScanFlags int scanFlags,
             @Nullable UserHandle user) throws PackageManagerException {
+        PackageManagerServiceUtils.verifySelinuxLabels(parsedPackage.getPath());
 
         final Pair<ScanResult, Boolean> scanResultPair = scanSystemPackageLI(
                 parsedPackage, parseFlags, scanFlags, user);
diff --git a/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java b/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java
index 4d11b13510e9..d0aa6c2b8726 100644
--- a/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java
+++ b/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java
@@ -60,6 +60,7 @@ import android.os.Debug;
 import android.os.Environment;
 import android.os.FileUtils;
 import android.os.Process;
+import android.os.SELinux;
 import android.os.SystemProperties;
 import android.os.incremental.IncrementalManager;
 import android.os.incremental.IncrementalStorage;
@@ -1388,4 +1389,28 @@ public class PackageManagerServiceUtils {
             }
         }
     }
+
+    // TODO(b/231951809): remove this workaround after figuring out why apk_tmp_file labels stay
+    // on the installed apps instead of the correct apk_data_file ones
+
+    public static final String SELINUX_BUG = "b/231951809";
+
+    /**
+     * A workaround for b/231951809:
+     * Verifies the SELinux labels of the passed path, and tries to correct them if detects them
+     * wrong or missing.
+     */
+    public static void verifySelinuxLabels(String path) {
+        final String expectedCon = SELinux.fileSelabelLookup(path);
+        final String actualCon = SELinux.getFileContext(path);
+        Slog.i(TAG, SELINUX_BUG + ": checking selinux labels for " + path + " expected / actual: "
+                + expectedCon + " / " + actualCon);
+        if (expectedCon == null || !expectedCon.equals(actualCon)) {
+            Slog.w(TAG, SELINUX_BUG + ": labels don't match, reapplying for " + path);
+            if (!SELinux.restoreconRecursive(new File(path))) {
+                Slog.w(TAG, SELINUX_BUG + ": Failed to reapply restorecon");
+            }
+            // well, if it didn't work now after not working at first, not much else can be done
+        }
+    }
 }
author	Yurii Zubrytskyi <zyy@google.com>	2022-05-15 23:29:49 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-05-15 23:29:49 +0000
commit	15f33649a5df94cec4152710125a37fd55290cb0 (patch)
tree	c8913ac6abdec9af9c700f9dd996ea4ea1f7559b
parent	55b9921cba98df6aae4603b66d0d2f70bfcc5376 (diff)
parent	8063d3ad8aa0a0e1e018932527a23167ab5427a6 (diff)