Allow access to the metadata partition for metadata encryption.
Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.
Change-Id: Id425c47d48f413d6ea44ed170835a52d0af39f9f
diff --git a/private/e2fs.te b/private/e2fs.te
new file mode 100644
index 0000000..2c4c013
--- /dev/null
+++ b/private/e2fs.te
@@ -0,0 +1,3 @@
+allow e2fs devpts:chr_file { read write };
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+
diff --git a/private/fsck.te b/private/fsck.te
index 3a36329..f8e09b6 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,5 @@
typeattribute fsck coredomain;
init_daemon_domain(fsck)
+
+allow fsck metadata_block_device:blk_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 76318ec..cffe5cd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -556,8 +556,14 @@
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
# be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
- { append link rename write open read ioctl lock };
+neverallow {
+ domain
+ -init
+ -recovery
+ -vold
+ -e2fs
+ -fsck
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery and update_engine can write to system partition(s).
neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
diff --git a/public/fsck.te b/public/fsck.te
index 7cc7e8b..c5219d8 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -44,7 +44,6 @@
neverallow fsck {
boot_block_device
frp_block_device
- metadata_block_device
recovery_block_device
root_block_device
swap_block_device