Merge "Create a label for the root block device."
diff --git a/domain.te b/domain.te
index 5ac6b46..1fb2ef8 100644
--- a/domain.te
+++ b/domain.te
@@ -159,7 +159,7 @@
neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
# Limit device node creation and raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold } self:capability { sys_rawio mknod };
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
# No domain needs mac_override as it is unused by SELinux.
neverallow domain self:capability2 mac_override;
@@ -203,7 +203,7 @@
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
diff --git a/file_contexts b/file_contexts
index d4315b0..81698d1 100644
--- a/file_contexts
+++ b/file_contexts
@@ -150,6 +150,7 @@
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/uncrypt u:object_r:uncrypt_exec:s0
#############################
# Vendor files
#
diff --git a/seapp_contexts b/seapp_contexts
index 2049b8a..6c0a9a3 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -3,6 +3,7 @@
# user (string)
# seinfo (string)
# name (string)
+# path (string)
# sebool (string)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
@@ -19,7 +20,8 @@
# (4) Longer user= prefix before shorter user= prefix.
# (5) Specified seinfo= string before unspecified seinfo= string.
# (6) Specified name= string before unspecified name= string.
-# (7) Specified sebool= string before unspecified sebool= string.
+# (7) Specified path= string before unspecified path= string.
+# (8) Specified sebool= string before unspecified sebool= string.
#
# Outputs:
# domain (string)
@@ -41,6 +43,7 @@
user=_app seinfo=platform domain=platform_app type=platform_app_data_file
user=_app seinfo=shared domain=shared_app type=platform_app_data_file
user=_app seinfo=media domain=media_app type=platform_app_data_file
+user=_app seinfo=media name=com.android.providers.downloads path=cache* type=download_file
user=_app seinfo=release domain=release_app type=platform_app_data_file
user=_isolated domain=isolated_app
user=shell domain=shell type=shell_data_file
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 19e2ab2..e5108e3 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -160,6 +160,7 @@
{ .name = "user", .type = dt_string, .dir = dir_in, .data = NULL },
{ .name = "seinfo", .type = dt_string, .dir = dir_in, .data = NULL },
{ .name = "name", .type = dt_string, .dir = dir_in, .data = NULL },
+ { .name = "path", .type = dt_string, .dir = dir_in, .data = NULL },
{ .name = "sebool", .type = dt_string, .dir = dir_in, .data = NULL },
/*Outputs*/
{ .name = "domain", .type = dt_string, .dir = dir_out, .data = NULL },
diff --git a/uncrypt.te b/uncrypt.te
new file mode 100644
index 0000000..97258a7
--- /dev/null
+++ b/uncrypt.te
@@ -0,0 +1,30 @@
+# uncrypt
+type uncrypt, domain;
+type uncrypt_exec, exec_type, file_type;
+
+init_daemon_domain(uncrypt)
+permissive_or_unconfined(uncrypt)
+
+allow uncrypt self:capability dac_override;
+
+# Read OTA zip file from /data/data/com.google.android.gsf/app_download
+r_dir_file(uncrypt, app_data_file)
+
+userdebug_or_eng(`
+ # For debugging, allow /data/local/tmp access
+ r_dir_file(uncrypt, shell_data_file)
+')
+
+# Create tmp file /cache/recovery/command.tmp
+# Read /cache/recovery/command
+# Rename /cache/recovery/command.tmp to /cache/recovery/command
+allow uncrypt cache_file:dir rw_dir_perms;
+allow uncrypt cache_file:file create_file_perms;
+
+# Set a property to reboot the device.
+unix_socket_connect(uncrypt, property, init)
+allow uncrypt powerctl_prop:property_service set;
+
+# Raw writes to block device
+allow uncrypt self:capability sys_rawio;
+allow uncrypt block_device:blk_file w_file_perms;