On 09/27/2016 03:00 AM, Weiyuan (David, Euler) wrote: > "The rootfs is typically just unpacked from initramfs and all files within it > are assigned a default label based on the genfscon statement" > > Do you mean Kernel lable rootfs with genfscon before init loading the > sepolicy into kernel? > > > Could you please describe the details of the process that how does the rootfs > be labeled with u:object_r:rootfs:s0 during the booting of Android (Such as > Nexus) ?
If you really want to delve into that level of detail, then this is what happens: When the inodes are allocated, SELinux initializes them with the unlabeled SID (inode_alloc_security). When the corresponding dentry is instantiated, SELinux adds them to a list associated with the superblock because policy has not yet been loaded so we do not yet know how to label them (inode_doinit_with_dentry, sbsec->flags does not yet have SE_SBINITIALIZED set). When init loads the /sepolicy file into the kernel, security_load_policy() calls selinux_complete_init() after loading the policy. selinux_complete_init() iterates the superblocks with delayed_superblock_init() as the callback, which calls superblock_doinit(). superblock_doinit() calls selinux_set_mnt_opts(), which calls security_fs_use(). security_fs_use() checks to see if the filesystem type has a fs_use_* rule, and if not, checks for a genfscon rule. For the rootfs, we find the genfscon rule and return SECURITY_FS_USE_GENFS along with the SID/context from the rule. Then selinux_set_mnt_opts() calls sb_finish_set_opts(). sb_finish_set_opts() calls inode_doinit_with_dentry() on the root inode and inode_doinit() on any inode in the list (which in turn calls inode_doinit_with_dentry() with a NULL dentry). inode_doinit_with_dentry() falls through to the default case of the switch statement. inode_doinit_with_dentry() then sets the inode SID to the superblock SID (which came from the genfscon rule) and is done (rootfs does not enable SE_SBGENFS). The inode is now labeled with the context specified by the genfscon rule. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
