ksud: support module sepolicy.rule

userspace/ksud/src/event.rs

@@ -127,6 +127,11 @@ pub fn on_post_data_fs() -> Result<()> {
     println!("mount {} to {}", target_update_img, module_dir);
     mount_image(target_update_img, module_dir)?;
 
+    // load sepolicy.rule
+    if (crate::module::load_sepolicy_rule().is_err()) {
+        println!("load sepolicy.rule failed");
+    }
+
     // mount systemless overlay
     if let Err(e) = do_systemless_mount(module_dir) {
         println!("do systemless mount failed: {}", e);

userspace/ksud/src/module.rs

@@ -1,4 +1,4 @@
-use crate::{defs, restorecon};
+use crate::{defs, restorecon, sepolicy};
 use crate::{restorecon::setsyscon, utils::*};
 
 use const_format::concatcp;
@@ -171,6 +171,31 @@ fn is_executable(path: &Path) -> bool {
         )
 }
 
+pub fn load_sepolicy_rule() -> Result<()> {
+    let modules_dir = Path::new(defs::MODULE_DIR);
+    let dir = std::fs::read_dir(modules_dir)?;
+    for entry in dir.flatten() {
+        let path = entry.path();
+        let disabled = path.join(defs::DISABLE_FILE_NAME);
+        if disabled.exists() {
+            println!("{} is disabled, skip", path.display());
+            continue;
+        }
+
+        let rule_file = path.join("sepolicy.rule");
+        if !rule_file.exists() {
+            continue;
+        }
+        println!("load policy: {}", &rule_file.display());
+
+        if sepolicy::apply_file(&rule_file).is_err() {
+            println!("Failed to load sepolicy.rule for {}", &rule_file.display());
+        }
+    }
+
+    Ok(())
+}
+
 /// execute every modules' post-fs-data.sh
 pub fn exec_post_fs_data() -> Result<()> {
     let modules_dir = Path::new(defs::MODULE_DIR);

userspace/ksud/src/sepolicy.rs

@@ -11,7 +11,7 @@ use nom::{
     sequence::Tuple,
     IResult, Parser,
 };
-use std::vec;
+use std::{vec, path::Path};
 
 type SeObject<'a> = Vec<&'a str>;
 
@@ -725,7 +725,7 @@ pub fn live_patch(policy: &str) -> Result<()> {
     Ok(())
 }
 
-pub fn apply_file(path: &str) -> Result<()> {
+pub fn apply_file<P: AsRef<Path>>(path: P) -> Result<()> {
     let input = std::fs::read_to_string(path)?;
     live_patch(&input)
 }