Merge "Allow vendor_init and e2fs to enable metadata encryption"
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 7769b65..ae0d4e7 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -109,6 +109,7 @@
usbd_tmpfs
vendor_init
vendor_shell
+ vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/e2fs.te b/private/e2fs.te
deleted file mode 100644
index 2c4c013..0000000
--- a/private/e2fs.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow e2fs devpts:chr_file { read write };
-allow e2fs metadata_block_device:blk_file rw_file_perms;
-
diff --git a/public/e2fs.te b/public/e2fs.te
index a955121..6fcd0c2 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -1,9 +1,12 @@
type e2fs, domain, coredomain;
type e2fs_exec, exec_type, file_type;
-allow e2fs block_device:blk_file getattr;
+allow e2fs devpts:chr_file { read write getattr ioctl };
+
+allow e2fs dev_type:blk_file getattr;
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file rw_file_perms;
+allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs {
proc_filesystems
@@ -12,6 +15,7 @@
}:file r_file_perms;
# access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:dir search;
allow e2fs sysfs_fs_ext4_features:file r_file_perms;
# access sselinux context files
diff --git a/public/file.te b/public/file.te
index 932ecbf..f45de90 100644
--- a/public/file.te
+++ b/public/file.te
@@ -149,6 +149,9 @@
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
+# /metadata subdirectories
+type vold_metadata_file, file_type;
+
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c56b45c..dbb20fd 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -38,6 +38,7 @@
-system_file
-unlabeled
-vendor_file_type
+ -vold_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init {
@@ -48,6 +49,7 @@
-system_file
-unlabeled
-vendor_file_type
+ -vold_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink };
allow vendor_init {
@@ -57,6 +59,7 @@
-system_file
-unlabeled
-vendor_file_type
+ -vold_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -66,6 +69,7 @@
-system_file
-unlabeled
-vendor_file_type
+ -vold_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -74,6 +78,7 @@
-exec_type
-system_file
-vendor_file_type
+ -vold_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index a490e06..0107ebd 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -172,6 +172,10 @@
allow vold vold_data_file:dir create_dir_perms;
allow vold vold_data_file:file create_file_perms;
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
# linux keyring configuration
allow vold init:key { write search setattr };
allow vold vold:key { write search setattr };
@@ -198,10 +202,48 @@
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
-neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *;
-neverallow { domain -vold -init -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set *;
+neverallow {
+ domain
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
neverallow { domain -vold -init } restorecon_prop:property_service set;
# Only system_server and vdc can interact with vold over binder