Mount encrypted storage with dedicated context mount crypt device with dedidated fscontext/context. This is required to restrict the payload from executing something from the directory. Another use is restricting relabeling from this fscontext. Bug: 261477008 Test: atest MicrodroidTests#encryptedStorageAvailable Change-Id: I69445fc16306f7c97b8d4241db34ef92c16e456a

commit: d4ce1c0b2fcdd4aea7e7b80cbda5244a2dcee31c [log] [tgz]
author: Shikha Panwar <shikhapanwar@google.com> Thu Dec 08 18:05:21 2022 +0000
committer: Shikha Panwar <shikhapanwar@google.com> Fri Dec 09 19:35:02 2022 +0000
tree: eaf2db3785eb284f5d4c5e334e213c6b8e9fd431
parent: a2ff8c505df75ca94382d13b21d1d3a2f985c2bc [diff]
diff --git a/encryptedstore/src/main.rs b/encryptedstore/src/main.rs
index 9c8311d..7140ae2 100644
--- a/encryptedstore/src/main.rs
+++ b/encryptedstore/src/main.rs

@@ -137,7 +137,10 @@
 
 fn mount(source: &Path, mountpoint: &Path) -> Result<()> {
     create_dir_all(mountpoint).context(format!("Failed to create {:?}", &mountpoint))?;
-    let mount_options = CString::new("").unwrap();
+    let mount_options = CString::new(
+        "fscontext=u:object_r:encryptedstore_fs:s0,context=u:object_r:encryptedstore_file:s0",
+    )
+    .unwrap();
     let source = CString::new(source.as_os_str().as_bytes())?;
     let mountpoint = CString::new(mountpoint.as_os_str().as_bytes())?;
     let fstype = CString::new("ext4").unwrap();
commit	d4ce1c0b2fcdd4aea7e7b80cbda5244a2dcee31c	[log] [tgz]
author	Shikha Panwar <shikhapanwar@google.com>	Thu Dec 08 18:05:21 2022 +0000
committer	Shikha Panwar <shikhapanwar@google.com>	Fri Dec 09 19:35:02 2022 +0000
tree	eaf2db3785eb284f5d4c5e334e213c6b8e9fd431
parent	a2ff8c505df75ca94382d13b21d1d3a2f985c2bc [diff]