commit 1aeaaedbc9df8ce56fb2e0fffeef9f8519b9e8a2
author Shikha Panwar <shikhapanwar@google.com> Thu Dec 08 13:18:56 2022 +0000
committer Shikha Panwar <shikhapanwar@google.com> Fri Dec 09 19:26:34 2022 +0000
tree bed13a48f57f416b2ff53e72d822973faba9198d
parent e14e69a947a473ce81f220bae3caea122f5bca97

Selinux label for /mnt/encryptedstore

Create a label for the encrypted storage. encryptedstore_file & _fs
corresponding to the file & fs type.

encryptedstore process mounts the device on /mnt/encryptedstore with
fscontext & context.

microdroid_payload will have rw & related permissions on it. Also, add a
neverallow rule to deny execute permission on all domains.

encryptedstore needs relabel permission from tmpfs to
encryptedstore_file, along with mount like permissions on the later.

Bug: 261477008
Test: atest MicrodroidTests#encryptedStorageAvailable

Change-Id: Iffa1eb400f90874169d26fc2becb1dda9a1269a9

microdroid/system/private/file.te

diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index b94571d..da54361 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -4,6 +4,7 @@
 allow cgroup_rc_file tmpfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
+allow encryptedstore_file encryptedstore_fs:filesystem associate;
 allow extra_apk_file zipfusefs:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
@@ -20,3 +21,6 @@
 
 # /system/bin/mke2fs - used to format encryptedstore block device
 type e2fs_exec, system_file_type, exec_type, file_type;
+
+type encryptedstore_file, file_type;
+type encryptedstore_fs, fs_type, contextmount_type;