| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Run 'setfattr -n security.restorecon_last' for ARC++" |
| author "chromium-os-dev@chromium.org" |
| |
| # On Android, /init writes the security.restorecon_last attribute to /cache and |
| # /data after it finishes updating labels of the files in the directories, but |
| # on ARC++, writing the attribute fails silently because processes under user |
| # namespace are not allowed to write arbitrary entries under security.* even |
| # with CAP_SYS_ADMIN. (b/33084415, b/33402785) As a workaround, let this |
| # Upstart job living outside the container set the attribute for ARC++. |
| # Note that arc-booted is only emitted when ARC++ successfully reaches the |
| # boot_complete_enable_screen phase, which implies that all the |
| # restorecon_recursive calls done by init have successfully completed. Also, |
| # writing the wrong hash does not make the situation worse, because it would |
| # still perform restorecon_recursive on next boot. |
| # TODO(yusukes): Remove this job once b/33084415 is fixed for all kernel |
| # versions we use. |
| |
| start on arc-booted |
| |
| env LOGFILE=/var/log/arc-setfattr.log |
| env ROOTFS=/opt/google/containers/android/rootfs |
| |
| script |
| exec > $LOGFILE 2>&1 |
| echo "$(date --rfc-3339=ns): Starting arc-setfattr" |
| set -x |
| |
| CONTEXTS=$ROOTFS/root/file_contexts.bin |
| if [ ! -f $CONTEXTS ]; then |
| # MNC's system image does not have the binary version and libselinux |
| # uses file_contexts for computing the hash value. |
| CONTEXTS=$ROOTFS/root/file_contexts |
| fi |
| VAL="$(cat $CONTEXTS | openssl dgst -sha1 -binary | openssl enc -base64)" |
| setfattr -n security.restorecon_last -v "0s$VAL" \ |
| $ROOTFS/android-data/data $ROOTFS/android-data/cache |
| end script |
