Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ad151a233a51a76f5d3c1a6289daa8a03025b8ab^1..ad151a233a51a76f5d3c1a6289daa8a03025b8ab / .
commitad151a233a51a76f5d3c1a6289daa8a03025b8ab[log] [tgz]
authorNick Kralevich <nnk@google.com>Sat Oct 18 23:01:39 2014 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Sat Oct 18 23:01:39 2014 +0000
tree31897a6539af3fbbba3f1ac12098025a1a6dcf1e
parent44cb98a7647303aedc9f89ef9a14937f59bec6ed [diff]
parent273d7ea4ca29fbd71c2b01e69e2c5ebd1253470a [diff]
Merge "Label block devices created or accessed by vold with specific types."
diff --git a/device.te b/device.te
index c1f3d28..20e95a5 100644
--- a/device.te
+++ b/device.te

@@ -11,6 +11,7 @@
 type loop_device, dev_type;
 type radio_device, dev_type;
 type ram_device, dev_type;
+type vold_device, dev_type;
 type console_device, dev_type;
 type cpuctl_device, dev_type;
 type fscklogs, dev_type;
@@ -82,3 +83,8 @@
 
 # Block device for any swap partition.
 type swap_block_device, dev_type;
+
+# Metadata block device used for encryption metadata.
+# Assign this type to the partition specified by the encryptable=
+# mount option in your fstab file in the entry for userdata.
+type metadata_block_device, dev_type;

diff --git a/file_contexts b/file_contexts
index 2efd7e9..4325cf3 100644
--- a/file_contexts
+++ b/file_contexts

@@ -40,7 +40,9 @@
 /dev/audio.*		u:object_r:audio_device:s0
 /dev/binder		u:object_r:binder_device:s0
 /dev/block(/.*)?	u:object_r:block_device:s0
+/dev/block/dm-[0-9]+	u:object_r:dm_device:s0
 /dev/block/loop[0-9]*	u:object_r:loop_device:s0
+/dev/block/vold/[0-9]+:[0-9]+	u:object_r:vold_device:s0
 /dev/block/ram[0-9]*	u:object_r:ram_device:s0
 /dev/bus/usb(.*)?       u:object_r:usb_device:s0
 /dev/cam		u:object_r:camera_device:s0

diff --git a/vold.te b/vold.te
index ef3924b..f605f8a 100644
--- a/vold.te
+++ b/vold.te

@@ -5,9 +5,11 @@
 init_daemon_domain(vold)
 
 typeattribute vold mlstrustedsubject;
+allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
 allow vold block_device:dir create_dir_perms;
 allow vold block_device:blk_file create_file_perms;
+auditallow vold block_device:blk_file create_file_perms;
 allow vold device:dir write;
 allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
@@ -22,8 +24,10 @@
 allow vold self:netlink_kobject_uevent_socket create_socket_perms;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
-allow vold loop_device:blk_file rw_file_perms;
+allow vold loop_device:blk_file create_file_perms;
+allow vold vold_device:blk_file create_file_perms;
 allow vold dm_device:chr_file rw_file_perms;
+allow vold dm_device:blk_file rw_file_perms;
 # For vold Process::killProcessesWithOpenFiles function.
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
@@ -94,4 +98,6 @@
 
 # Access userdata block device.
 allow vold userdata_block_device:blk_file rw_file_perms;
-auditallow vold userdata_block_device:blk_file rw_file_perms;
+
+# Access metadata block device used for encryption meta-data.
+allow vold metadata_block_device:blk_file rw_file_perms;