a1b5185ecb
Android Q init assumes rootfs to always be on EXT4 images, thus never runs restorecon on the whole root directory. This is an issue because some folders in rootfs were set with special selabels in the system partition, but when copying over to initramfs by magiskinit, these labels will not be preserved. So the solution is to relabel the files in rootfs with the original context right? Yes, but rootfs does not allow security xattr to be set on files before the kernel SELinux initializes with genfs_contexts. We have to load our sepolicy to the kernel before we clone the root directory from system partition, which we will also restore the selabel in the meantime. Unfortunately this means that for each reboot, the exact same policy will be loaded to the kernel twice: once in magiskinit so we can label rootfs properly, and once by the original init, which is part of the boot procedure. There is no easy way to prevent init from loading sepolicy, as init will refuse to continue if policy loading has failed. |
||
---|---|---|
.. | ||
core | ||
external | ||
include | ||
magiskboot | ||
magiskhide | ||
magiskpolicy | ||
resetprop | ||
su | ||
systemproperties | ||
utils | ||
Android.mk | ||
Application.mk |