[compiler-rt] r218599 - [asan] Fix SELinux setup on Android-K.

Evgeniy Stepanov eugeni.stepanov at gmail.com
Mon Sep 29 02:48:13 PDT 2014 

Author: eugenis
Date: Mon Sep 29 04:48:13 2014
New Revision: 218599

URL: http://llvm.org/viewvc/llvm-project?rev=218599&view=rev
Log:
[asan] Fix SELinux setup on Android-K.

On pre-L devices SELinux is set up in such a way that zygote wrapper
has to be in system_file context, not zygote_exec.

Modified:
    compiler-rt/trunk/lib/asan/scripts/asan_device_setup

Modified: compiler-rt/trunk/lib/asan/scripts/asan_device_setup
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/scripts/asan_device_setup?rev=218599&r1=218598&r2=218599&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/scripts/asan_device_setup (original)
+++ compiler-rt/trunk/lib/asan/scripts/asan_device_setup Mon Sep 29 04:48:13 2014
@@ -129,6 +129,12 @@ $ADB root
 $ADB wait-for-device
 $ADB remount
 
+RELEASE=$($ADB shell getprop ro.build.version.release)
+PRE_L=0
+if echo "$RELEASE" | grep '^4\.' >&/dev/null; then
+    PRE_L=1
+fi
+
 if ! $ADB shell readlink /system/bin/app_process | grep 'app_process' >&/dev/null; then
 
     if $ADB pull /system/bin/app_process.real /dev/null >&/dev/null; then
@@ -209,10 +215,29 @@ if ! ( cd "$TMPDIRBASE" && diff -qr old/
 
     # Make SELinux happy by keeping app_process wrapper and the shell
     # it runs on in zygote domain.
+    ENFORCING=0
+    if $ADB shell getenforce | grep Enforcing >/dev/null; then
+        # Sometimes shell is not allowed to change file contexts.
+        # Temporarily switch to permissive.
+        ENFORCING=1
+        $ADB shell setenforce 0
+    fi
+
     $ADB shell cp /system/bin/sh /system/bin/sh-from-zygote
-    $ADB shell chcon u:object_r:zygote_exec:s0 \
+
+    if [[ PRE_L -eq 1 ]]; then
+        CTX=u:object_r:system_file:s0
+    else
+        CTX=u:object_r:zygote_exec:s0
+    fi
+    $ADB shell chcon $CTX \
         /system/bin/sh-from-zygote \
-        /system/bin/app_process.wrap
+        /system/bin/app_process.wrap \
+        /system/bin/app_process32
+
+    if [ $ENFORCING == 1 ]; then
+        $ADB shell setenforce 1
+    fi
 
     echo '>> Restarting shell (asynchronous)'
     $ADB shell stop

More information about the llvm-commits mailing list