[Feature][ZXW-65]merged P49 base code
Change-Id: I3e09c0c3d47483bc645f02310380ecb7fc6f4041
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service
new file mode 100755
index 0000000..3c2a576
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=SELinux autorelabel service loading
+DefaultDependencies=no
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/selinux-autorelabel.sh
+
+[Install]
+WantedBy=sysinit.target
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh
new file mode 100755
index 0000000..25b6921
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+FIXFILES=/sbin/fixfiles
+SETENFORCE=/usr/sbin/setenforce
+
+for i in ${FIXFILES} ${SETENFORCE}; do
+ test -x $i && continue
+ echo "$i is missing in the system."
+ echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+ exit 1
+done
+
+# If /.autorelabel placed, the whole file system should be relabeled
+if [ -f /.autorelabel ]; then
+ echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+ ${SETENFORCE} 0
+ ${FIXFILES} -F -f relabel
+ /bin/rm -f /.autorelabel
+ echo " * Relabel done, rebooting the system."
+ /sbin/reboot
+fi
+
+exit 0
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb
new file mode 100755
index 0000000..a919445
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb
@@ -0,0 +1,26 @@
+SUMMARY = "SELinux autorelabel script"
+DESCRIPTION = "\
+Script to reset SELinux labels on the root file system when /.autorelabel \
+file is present.\
+"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+RDEPENDS:${PN} = " \
+ policycoreutils-setfiles \
+"
+
+SRC_URI = "file://${BPN}.sh \
+ file://${BPN}.service \
+ "
+
+INITSCRIPT_PARAMS = "start 01 S ."
+
+require selinux-initsh.inc
+
+do_install:append() {
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ echo "# first boot relabelling" > ${D}/.autorelabel
+ fi
+}
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init/selinux-init.service b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init/selinux-init.service
new file mode 100755
index 0000000..91b3e72
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init/selinux-init.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=SELinux init service loading
+DefaultDependencies=no
+After=local-fs.target
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/selinux-init.sh
+
+[Install]
+WantedBy=sysinit.target
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init/selinux-init.sh b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init/selinux-init.sh
new file mode 100755
index 0000000..f93d231
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init/selinux-init.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+CHCON=/usr/bin/chcon
+MATCHPATHCON=/usr/sbin/matchpathcon
+RESTORECON=/sbin/restorecon
+SECON=/usr/bin/secon
+SETENFORCE=/usr/sbin/setenforce
+
+for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON} ${SECON} ${SETENFORCE}; do
+ test -x $i && continue
+ echo "$i is missing in the system."
+ echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+ exit 1
+done
+
+check_rootfs()
+{
+ ${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0
+ echo ""
+ echo "* SELinux requires the root '/' filesystem support extended"
+ echo " filesystem attributes (XATTRs). It does not appear that this"
+ echo " filesystem has extended attribute support or it is not enabled."
+ echo ""
+ echo " - To continue using SELinux you will need to enable extended"
+ echo " attribute support on the root device."
+ echo ""
+ echo " - To disable SELinux, please add \"selinux=0\" in the kernel"
+ echo " command line."
+ echo ""
+ echo "* Halting the system now."
+ /sbin/shutdown -f -h now
+}
+
+# sysvinit firstboot relabel placeholder HERE
+
+exit 0
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit
new file mode 100755
index 0000000..d4f3f71
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit
@@ -0,0 +1,14 @@
+# Contents will be added to selinux-init.sh to support relabelling with sysvinit
+# If first booting, the security context type of init would be
+# "kernel_t", and the whole file system should be relabeled.
+if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
+ echo "Checking SELinux security contexts:"
+ check_rootfs
+ echo " * First booting, filesystem will be relabeled..."
+ test -x /etc/init.d/auditd && /etc/init.d/auditd start
+ ${SETENFORCE} 0
+ ${RESTORECON} -RF /
+ ${RESTORECON} -F /
+ echo " * Relabel done, rebooting the system."
+ /sbin/reboot
+fi
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init_0.1.bb b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init_0.1.bb
new file mode 100755
index 0000000..c97316e
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-init_0.1.bb
@@ -0,0 +1,25 @@
+SUMMARY = "SELinux init script"
+DESCRIPTION = "\
+Script to detect and attempt to correct a misconfigured SELinux system at \
+boot time. \
+"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+RDEPENDS:${PN} = " \
+ coreutils \
+ libselinux-bin \
+ policycoreutils-secon \
+ policycoreutils-setfiles \
+"
+
+SRC_URI = " \
+ file://${BPN}.sh \
+ file://${BPN}.sh.sysvinit \
+ file://${BPN}.service \
+"
+
+INITSCRIPT_PARAMS = "start 01 S ."
+
+require selinux-initsh.inc
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-initsh.inc b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-initsh.inc
new file mode 100755
index 0000000..f6a3d85
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-initsh.inc
@@ -0,0 +1,41 @@
+S ?= "${WORKDIR}"
+SECTION ?= "base"
+
+# Default is for script name to be the same as the recipe name.
+# Script must have .sh suffix.
+SELINUX_SCRIPT_SRC ?= "${BPN}"
+SELINUX_SCRIPT_DST ?= "${SELINUX_SCRIPT_SRC}"
+
+INITSCRIPT_NAME ?= "${SELINUX_SCRIPT_DST}"
+INITSCRIPT_PARAMS ?= "start 00 S ."
+
+CONFFILES:${PN} += "${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}"
+
+PACKAGE_ARCH ?= "${MACHINE_ARCH}"
+
+inherit update-rc.d systemd
+
+SYSTEMD_SERVICE:${PN} = "${SELINUX_SCRIPT_SRC}.service"
+
+FILES:${PN} += "/.autorelabel"
+
+do_install () {
+ install -d ${D}${sysconfdir}/init.d/
+ install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+ # Insert the relabelling code which is only needed with sysvinit
+ sed -i -e '/HERE/r ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \
+ -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \
+ ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system
+ install -d ${D}${bindir}
+ install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir}
+ sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
+ fi
+}
+
+sysroot_stage_all:append () {
+ sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+}
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service
new file mode 100755
index 0000000..96142a3
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=SELinux init for /dev service loading
+DefaultDependencies=no
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/selinux-labeldev.sh
+
+[Install]
+WantedBy=sysinit.target
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh
new file mode 100755
index 0000000..62e7a42
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+CHCON=/usr/bin/chcon
+MATCHPATHCON=/usr/sbin/matchpathcon
+RESTORECON=/sbin/restorecon
+
+for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON}; do
+ test -x $i && continue
+ echo "$i is missing in the system."
+ echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+ exit 1
+done
+
+# Because /dev/console is not relabeled by kernel, many commands
+# would can not use it, including restorecon.
+${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
+${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
+
+# Now, we should relabel /dev for most services.
+${RESTORECON} -RF /dev
+
+exit 0
diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-labeldev_0.1.bb b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-labeldev_0.1.bb
new file mode 100755
index 0000000..d29efec
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/selinux-scripts/selinux-labeldev_0.1.bb
@@ -0,0 +1,19 @@
+SUMMARY = "SELinux init script"
+DESCRIPTION = "Set SELinux labels for /dev."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+RDEPENDS:${PN} = " \
+ coreutils \
+ libselinux-bin \
+ policycoreutils-setfiles \
+"
+
+SRC_URI = "file://${BPN}.sh \
+ file://${BPN}.service \
+ "
+
+SELINUX_SCRIPT_DST = "0${BPN}"
+
+require selinux-initsh.inc