commit b57af5d0e62f147a9462931f9ac2bda34dff8a19
author Eric Biggers <ebiggers@google.com> Fri Sep 27 13:33:27 2019 -0700
committer Eric Biggers <ebiggers@google.com> Fri Sep 27 15:24:27 2019 -0700
tree 03dd4efe5b54a96017b9ffff3abf9544838008c0
parent e612ecd6ed9c54ded9e7e48797925eecbc829746

Allow shell to get encryption policy for CTS

Allow the shell domain to use the FS_IOC_GET_ENCRYPTION_POLICY and
FS_IOC_GET_ENCRYPTION_POLICY_EX ioctls so that we can write a CTS test
which checks that the device complies with the CDD requirements to use
appropriate algorithms for file-based encryption.

The information returned by these ioctls is already available in logcat,
but scraping the log for a CTS test seems fragile; I assume that people
would prefer a more robust solution.

For more details see change I9082241066cba82b531e51f9a5aec14526467162

Bug: 111311698
Test: the CTS test works after this change.
Change-Id: Ib9ce6b42fcfb6b546eb80a93ae8d17ac5a433984

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index 8a933a5..53a6a7a 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -79,3 +79,9 @@
 userdebug_or_eng(`
   set_prop(shell, linker_prop)
 ')
+
+# Allow shell to get encryption policy of /data/local/tmp/, for CTS
+allowxperm shell shell_data_file:dir ioctl {
+  FS_IOC_GET_ENCRYPTION_POLICY
+  FS_IOC_GET_ENCRYPTION_POLICY_EX
+};

public/ioctl_defines

diff --git a/public/ioctl_defines b/public/ioctl_defines
index c5b412b..48fed86 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -804,6 +804,7 @@
 define(`FS_IOC_ENABLE_VERITY', `0x6685')
 define(`FS_IOC_FIEMAP', `0xc020660b')
 define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
+define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
 define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
 define(`FS_IOC_GETFLAGS', `0x80086601')
 define(`FS_IOC_GETVERSION', `0x80087601')