Android 11 init进程对Selinux的处理

在init进程启动的过程中，会去初始化Selinux

int main(int argc, char** argv) {
	//省略	
		if (!strcmp(argv[1], "selinux_setup")) {
            return SetupSelinux(argv);
        }

	//省略
}

SetupSelinux函数在 selinux.cpp文件中实现

int SetupSelinux(char** argv) {
    SetStdioToDevNull(argv);
    InitKernelLogging(argv);//将init进程的打印重定向到kernel

    //省略

    // Set up SELinux, loading the SELinux policy.
    SelinuxSetupKernelLogging();//设置回调，调用selinux_log时会将打印写进kernel
    SelinuxInitialize();

    // We're in the kernel domain and want to transition to the init domain.  File systems that
    // store SELabels in their xattrs, such as ext4 do not need an explicit restorecon here,
    // but other file systems do.  In particular, this is needed for ramdisks such as the
    // recovery image for A/B devices.
    if (selinux_android_restorecon("/system/bin/init", 0) == -1) {
        PLOG(FATAL) << "restorecon failed of /system/bin/init failed";
    }

    //省略

    return 1;
}

调用 SelinuxInitialize函数

void SelinuxInitialize() {
    LOG(INFO) << "Loading SELinux policy";
    if (!LoadPolicy()) {
        LOG(FATAL) << "Unable to load SELinux policy";
    }

    bool kernel_enforcing = (security_getenforce() == 1);
    bool is_enforcing = IsEnforcing();
    if (kernel_enforcing != is_enforcing) {
        if (security_setenforce(is_enforcing)) {
            PLOG(FATAL) << "security_setenforce(" << (is_enforcing ? "true" : "false")
                        << ") failed";
        }
    }

    if (auto result = WriteFile("/sys/fs/selinux/checkreqprot", "0"); !result.ok()) {
        LOG(FATAL) << "Unable to write to /sys/fs/selinux/checkreqprot: " << result.error();
    }
}

• 调用LoadPolicy初始化Seliunx
• IsEnforcing是读启动参数中 androidboot.selinux 的值，security_getenforce是从内核中取值。如果两者不相等，则Slinux模式设置成启动参数中的值

LoadPolicy

bool LoadPolicy() {
    return IsSplitPolicyDevice() ? LoadSplitPolicy() : LoadMonolithicPolicy();
}

IsSplitPolicyDevice 就是判断/system/etc/selinux/plat_sepolicy.cil存不存在。在Android 11 中 IsSplitPolicyDevice的返回值为true

constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";

bool IsSplitPolicyDevice() {
    return access(plat_policy_cil_file, R_OK) != -1;
}

//系统执行ls -al
ls -al system/etc/selinux/plat_sepolicy.cil                                    
-rw-r--r-- 1 root root 1646622 2024-01-17 17:59 system/etc/selinux/plat_sepolicy.cil

所以调用的是LoadSplitPolicy 函数

bool LoadSplitPolicy() {
   	//省略
   	
    std::string precompiled_sepolicy_file;
    if (!use_userdebug_policy && FindPrecompiledSplitPolicy(&precompiled_sepolicy_file)) {
        unique_fd fd(open(precompiled_sepolicy_file.c_str(), O_RDONLY | O_CLOEXEC | O_BINARY));
        if (fd != -1) {
            if (selinux_android_load_policy_from_fd(fd, precompiled_sepolicy_file.c_str()) < 0) {
                LOG(ERROR) << "Failed to load SELinux policy from " << precompiled_sepolicy_file;
                return false;
            }
            return true;
        }
    }
	
	char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX";
    unique_fd compiled_sepolicy_fd(mkostemp(compiled_sepolicy, O_CLOEXEC));
	
	std::string vend_plat_vers;
    if (!GetVendorMappingVersion(&vend_plat_vers)) {//android 11 是 30 
        return false;
    }
	
	std::string plat_mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
    std::string plat_compat_cil_file("/system/etc/selinux/mapping/" + vend_plat_vers +
                                     ".compat.cil");
    std::string system_ext_policy_cil_file("/system_ext/etc/selinux/system_ext_sepolicy.cil");
    std::string system_ext_mapping_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
                                        ".cil");
    std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil");
 
    std::string product_mapping_file("/product/etc/selinux/mapping/" + vend_plat_vers + ".cil");
    std::string plat_pub_versioned_cil_file("/vendor/etc/selinux/plat_pub_versioned.cil");
    std::string vendor_policy_cil_file("/vendor/etc/selinux/vendor_sepolicy.cil");
     std::string odm_policy_cil_file("/odm/etc/selinux/odm_sepolicy.cil");
    
	// clang-format off
    std::vector<const char*> compile_args {
        "/system/bin/secilc",
        use_userdebug_policy ? kDebugRamdiskSEPolicy: plat_policy_cil_file,
        "-m", "-M", "true", "-G", "-N",
        "-c", version_as_string.c_str(),
        plat_mapping_file.c_str(),
        "-o", compiled_sepolicy,
        // We don't care about file_contexts output by the compiler
        "-f", "/sys/fs/selinux/null",  // /dev/null is not yet available
    };

	if (!plat_compat_cil_file.empty()) {
        compile_args.push_back(plat_compat_cil_file.c_str());
    }
    if (!system_ext_policy_cil_file.empty()) {
        compile_args.push_back(system_ext_policy_cil_file.c_str());
    }
    if (!system_ext_mapping_file.empty()) {
        compile_args.push_back(system_ext_mapping_file.c_str());
    }
    if (!product_policy_cil_file.empty()) {
        compile_args.push_back(product_policy_cil_file.c_str());
    }
    if (!product_mapping_file.empty()) {
        compile_args.push_back(product_mapping_file.c_str());
    }
    if (!plat_pub_versioned_cil_file.empty()) {
        compile_args.push_back(plat_pub_versioned_cil_file.c_str());
    }
    if (!vendor_policy_cil_file.empty()) {
        compile_args.push_back(vendor_policy_cil_file.c_str());
    }
    if (!odm_policy_cil_file.empty()) {
        compile_args.push_back(odm_policy_cil_file.c_str());
    }
    compile_args.push_back(nullptr);
	
	if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) {
        unlink(compiled_sepolicy);
        return false;
    }
    unlink(compiled_sepolicy);
    
    if (selinux_android_load_policy_from_fd(compiled_sepolicy_fd, compiled_sepolicy) < 0) {
        LOG(ERROR) << "Failed to load SELinux policy from " << compiled_sepolicy;
        return false;
    }

1. 调用FindPrecompiledSplitPolicy 查找 precompiled_sepolicy 文件并进行效验
2. 没有找到的话，然后在相关的目录下（vendor/etc/seliunx、system/etc/seliunx、odm/etc/seliunx等）收集 cil 文件，然后使用secilc进行动态编译
3. 不管是使用precompiled_sepolicy 文件还是 动态编译，最终都是调用selinux_android_load_policy_from_fd将Selinux策略写进内核

selinux_android_load_policy_from_fd在libselinux库中，源码路径是external/selinux/libselinux/src/android/android_platform.c

int selinux_android_load_policy_from_fd(int fd, const char *description)
{
        int rc;
        struct stat sb;
        void *map = NULL;
        static int load_successful = 0;

        //省略，主要是避免重复加载
		
        set_selinuxmnt(SELINUXMNT);
        
        map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
        
        rc = security_load_policy(map, sb.st_size);
        
        munmap(map, sb.st_size);
      
        return 0;
}

首先调用 set_selinuxmnt 设置selinux_mnt 为 /sys/fs/selinux

#define SELINUXMNT "/sys/fs/selinux"

void set_selinuxmnt(const char *mnt)
{
        selinux_mnt = strdup(mnt);
}

然后调用 security_load_policy

int security_load_policy(void *data, size_t len)
{
        char path[PATH_MAX];
        int fd, ret;

        if (!selinux_mnt) {
                errno = ENOENT;
                return -1;
        }

        snprintf(path, sizeof path, "%s/load", selinux_mnt); //selinux_mnt为上面设置的/sys/fs/selinux
        fd = open(path, O_RDWR | O_CLOEXEC);
        if (fd < 0)
                return -1;

        ret = write(fd, data, len);
        close(fd);
        if (ret < 0)
                return -1;
        return 0;
}

可以看出，首先打开/sys/fs/selinux/load节点，最后调用write，将其写入内核。

总结

首先去查找 precompiled_sepolicy 文件并做效验 。查找的流程是 先找/odm/etc/selinux/precompiled_sepolicy，如果没有，再找/vendor/etc/selinux/precompiled_sepolicy （具体可分析FindPrecompiledSplitPolicy函数）。如果找到了，则直接调用selinux_android_load_policy_from_fd将其写入内核。如果没找到或者效验不通过，则收集相关目录下的cil文件进行动态编译，然后也是调用selinux_android_load_policy_from_fd写入内核。写入内核是通过/sys/fs/selinux/load节点