On 06/13/2014 10:16 AM, Pankaj Kushwaha wrote: > Hi, > > I am trying to call an api selinux_android_setfilecon2(pkgdir, pkgname, > seinfo, uid) to relabel files for all the packages present on my device. > > After boot i fetch no of apps installed on device in SystemServer.java. > Call a method of PackagmanagerService through AIDL interface. > This method in PackagmanagerService calls a method in Installer.java > which I have written, that is defined in > frameworks/base/cmds/installd/command.c (following same calling > mechanism as followed by mInstaller.install(packageName, uid, uid, > seinfo) when a new app is installed). > > My problem is this, that when install method calls > selinux_android_setfilecon2, it relabels successfully, but when I do it > from my method selinux_android_setfilecon2 returns -1 and my files are > not re-labeled. > > I also tried in permissive mode, so that proves that I am not being > stopped by MAC. > But even DAC shouldn't stop me as already this files calls setfilecon2 > api successfully. > Can you please help me over this, that how can I call this api ?
We already have a mechanism for this purpose in AOSP master (and back-ported to our seandroid-4.4.3 branch). frameworks/base/services/java/com/android/server/pm/PackageManagerService.java calls mInstaller.restoreconData() for each package. Installer.java restoreconData invokes the installd restorecondata command. frameworks/native/cmds/installd/commands.c:restorecon_data() calls selinux_android_restorecon_pkgdir() on the package directory for the primary user and any secondary users. This should happen on first boot or upgrade; the PMS only does it if there is no /data/system/seapp_hash file or if a hash of the seapp_contexts file no longer matches the contents of that file (i.e. seapp_contexts has changed since the last such restorecon). With regard to why it fails for you, note that setting security.selinux on a file that is owned by a different UID requires CAP_FOWNER. Also, setfilecon/setfilecon2 only relabels a single file; you want restorecon with the appropriate flags to recursively relabel as in our approach above. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
