Simplify matching selinux context of child zygote (#8845)

2025-10-31 08:44:07 +00:00 · 2025-03-11 16:27:15 +08:00
parent f14e3a89cc
commit 52ef1d1cb2
1 changed files with 6 additions and 6 deletions
--- a/native/src/core/deny/utils.cpp
+++ b/native/src/core/deny/utils.cpp
@@ -10,6 +10,7 @@
 #include <base.hpp>
 #include <sqlite.hpp>
 #include <core.hpp>
+#include <selinux.hpp>

 #include "deny.hpp"

@@ -108,12 +109,11 @@ static bool proc_name_match(int pid, string_view name) {

 bool proc_context_match(int pid, string_view context) {
    char buf[PATH_MAX];
-    sprintf(buf, "/proc/%d/attr/current", pid);
-    if (auto fp = open_file(buf, "re")) {
-        fgets(buf, sizeof(buf), fp.get());
-        if (str_starts(buf, context)) {
-            return true;
-        }
+    char con[1024];
+
+    sprintf(buf, "/proc/%d", pid);
+    if (lgetfilecon(buf, { con, sizeof(con) }) >= 0) {
+        return str_starts(con, context);
    }
    return false;
 }