ksud: load profile sepolicy rules when boot

userspace/ksud/src/event.rs

@@ -158,6 +158,10 @@ pub fn on_post_data_fs() -> Result<()> {
         warn!("load sepolicy.rule failed");
     }
 
+    if let Err(e) = crate::profile::apply_sepolies() {
+        warn!("apply root profile sepolicy failed: {}", e);
+    }
+
     // exec modules post-fs-data scripts
     // TODO: Add timeout
     if let Err(e) = crate::module::exec_post_fs_data() {

userspace/ksud/src/profile.rs

@@ -1,6 +1,6 @@
-use crate::defs;
+use crate::{defs, sepolicy};
 use crate::utils::ensure_dir_exists;
-use anyhow::Result;
+use anyhow::{Context, Result};
 use std::path::Path;
 
 pub fn set_sepolicy(pkg: String, policy: String) -> Result<()> {
@@ -44,3 +44,27 @@ pub fn list_templates() -> Result<()> {
     }
     Ok(())
 }
+
+pub fn apply_sepolies() -> Result<()> {
+    let path = Path::new(defs::PROFILE_SELINUX_DIR);
+    if !path.exists() {
+        log::info!("profile sepolicy dir not exists.");
+        return Ok(());
+    }
+
+    let sepolicies =
+        std::fs::read_dir(path).with_context(|| "profile sepolicy dir open failed.".to_string())?;
+    for sepolicy in sepolicies {
+        let Ok(sepolicy) = sepolicy else {
+            log::info!("profile sepolicy dir read failed.");
+            continue;
+        };
+        let sepolicy = sepolicy.path();
+        if sepolicy::apply_file(&sepolicy).is_ok() {
+            log::info!("profile sepolicy applied: {:?}", sepolicy);
+        } else {
+            log::info!("profile sepolicy apply failed: {:?}", sepolicy);
+        }
+    }
+    Ok(())
+}