Modify permissions to move encryption policy assignment to vold_prepare_subdirs
We have moved the encryption policy assignment from vold to
vold_prepare_subdirs. This CL removes some permissions from vold
over storage areas that are no longer needed due to this change,
and adds some permissions to vold_prepare_subdirs.
Bug: 325129836
Test: atest StorageAreaTest
Change-Id: Ief2a8021ed3524018d001e20eae60f712f485d81
diff --git a/private/vold.te b/private/vold.te
index 7716bd1..2c1fb8f 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -63,16 +63,14 @@
allow vold keystore:keystore2 delete_all_keys;
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
- # Allow vold to encrypt storage area directories on behalf of apps.
- allow vold {
- storage_area_dir
- storage_area_app_dir
- }:dir {
- getattr
- ioctl # for FS_IOC_SET_ENCRYPTION_POLICY
+ allow vold storage_area_app_dir:dir search;
+ # Allow vold to get the encryption policy and
+ # verify the ownership of storage areas
+ allow vold storage_area_dir:dir {
+ read
open
- read # for open(O_RDONLY) for ioctl
- search
+ getattr
+ ioctl
};
')
@@ -409,6 +407,7 @@
-vold
-init
-vendor_init
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` -vold_prepare_subdirs ')
} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
# Only vold should ever add/remove file-based encryption keys.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 1dc00b2..44c9ea5 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -75,6 +75,15 @@
type_transition vold_prepare_subdirs storage_area_app_dir:dir storage_area_dir;
selinux_check_context(vold_prepare_subdirs)
+
+ allowxperm vold_prepare_subdirs storage_area_dir:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY;
+')
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ neverallowxperm vold_prepare_subdirs {
+ data_file_type
+ -storage_area_dir
+ }:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY;
')
# Migrate legacy labels to apex_system_server_data_file (b/217581286)