Properly set SELinux context after reboot

JingMatrix · JingMatrix · commit 487e83555989 · 2025-11-08T20:17:05.000+01:00
After reboot, the SELinux context labels for files located in `/data/adb` are reset to `u:object_r:adb_data_file:s0`. To fully address the issue in ed1f61d, we should always compare the SELinux context and reset it when necessary.
diff --git a/daemon/src/main/java/org/lsposed/lspd/service/ConfigFileManager.java b/daemon/src/main/java/org/lsposed/lspd/service/ConfigFileManager.java
@@ -70,6 +70,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Locale;
+import java.util.stream.Stream;
 import java.util.zip.Deflater;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
@@ -454,20 +455,38 @@ static void ensureModuleFilePath(String path) throws RemoteException {
 
     static Path resolveModuleDir(String packageName, String dir, int userId, int uid) throws IOException {
         var path = modulePath.resolve(String.valueOf(userId)).resolve(packageName).resolve(dir).normalize();
-        if (uid != -1) {
-            if (path.toFile().mkdirs()) {
-                try {
-                    SELinux.setFileContext(path.toString(), "u:object_r:xposed_data:s0");
-                    Os.chown(path.toString(), uid, uid);
-                    Os.chmod(path.toString(), 0755);
-                } catch (ErrnoException e) {
-                    throw new IOException(e);
-                }
+        // Ensure the directory and any necessary parent directories exist.
+        path.toFile().mkdirs();
+
+        if (SELinux.getFileContext(path.toString()) != "u:object_r:xposed_data:s0") {
+            // SELinux label could be reset after a reboot.
+            try {
+                setSelinuxContextRecursive(path, "u:object_r:xposed_data:s0");
+                Os.chown(path.toString(), uid, uid);
+                Os.chmod(path.toString(), 0755);
+            } catch (ErrnoException e) {
+                throw new IOException(e);
             }
         }
         return path;
     }
 
+     private static void setSelinuxContextRecursive(Path path, String context) throws IOException {
+        try {
+            SELinux.setFileContext(path.toString(), context);
+
+            if (Files.isDirectory(path)) {
+                try (Stream<Path> stream = Files.list(path)) {
+                    for (Path entry : (Iterable<Path>) stream::iterator) {
+                        setSelinuxContextRecursive(entry, context);
+                    }
+                }
+            }
+        } catch (Exception e) {
+            throw new IOException("Failed to recursively set SELinux context for " + path, e);
+        }
+    }
+
     private static class FileLocker {
         private final FileChannel lockChannel;
         private final FileLock locker;
diff --git a/hiddenapi/stubs/src/main/java/android/os/SELinux.java b/hiddenapi/stubs/src/main/java/android/os/SELinux.java
@@ -9,6 +9,10 @@ public static boolean setFileContext(String path, String context) {
         throw new UnsupportedOperationException("Stub");
     }
 
+    public static String getFileContext(String path) {
+        throw new UnsupportedOperationException("Stub");
+    }
+
     public static boolean setFSCreateContext(String context){
         throw new UnsupportedOperationException("Stub");
     }

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,10 @@ public static boolean setFileContext(String path, String context) {`
`9`	`9`	`throw new UnsupportedOperationException("Stub");`
`10`	`10`	`}`
`11`	`11`
	`12`	`+ public static String getFileContext(String path) {`
	`13`	`+ throw new UnsupportedOperationException("Stub");`
	`14`	`+ }`
	`15`	`+`
`12`	`16`	`public static boolean setFSCreateContext(String context){`
`13`	`17`	`throw new UnsupportedOperationException("Stub");`
`14`	`18`	`}`