CHROMIUM: ensure we mount /sys and /proc properly when using SELinux
As part of initial policy loading process, libselinux would mount /proc
and /sys, if they were not already mounted, and it would not use the
standar mount flags, such as nosuid, noexec, nodev, that upstart would
normally use. To make sure the behavior is consistent in all the cases
let's mount /sys, /proc, and even /sys/fs/selinux ourselves, before
trying to load SELinux policy and re-executing init.
This rearranges SELinux support patch a bit by moving selinuxfs mounting
and policy loading code slightly later in the startup process so that
the mounting code is kept in the single place. It also allows us to use
standard nih library logging methods.
Note that we mount selinuxfs as nosuid, noexec, but leave out the nodev
option as there is null device on selinufs and things break if we try to
mount it as nodev.
BUG=b:29003204
TEST=Booted minnie, validated filesystems are mounted with correct
permissions.
Reviewed-on: https://chromium-review.googlesource.com/351002
Change-Id: Id182027516281144e9790ef82351344974605dcd
4 files changed