Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c285cad1a6a52763c0faf2faa60a287341e23842^! / .
commitc285cad1a6a52763c0faf2faa60a287341e23842[log] [tgz]
authorTao Bao <tbao@google.com>Fri Feb 26 10:30:12 2016 -0800
committerTao Bao <tbao@google.com>Wed Mar 02 10:51:13 2016 -0800
tree0800f27abdb9af59c304d47d9b3231aa0d4f9639
parent47f8e1f04077d6930e597bca6aeee88fcae4d16f [diff]
Add /dev/socket/uncrypt.

system_server used to communicate with uncrypt via files (e.g.
/cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B
devices may not have /cache partitions anymore, we switch to communicate
via /dev/socket/uncrypt to allow things like factory reset to keep
working.

Bug: 27176738
Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca

diff --git a/file.te b/file.te
index 1efdc58..af111ad 100644
--- a/file.te
+++ b/file.te

@@ -206,6 +206,7 @@
 type rild_debug_socket, file_type;
 type system_wpa_socket, file_type;
 type system_ndebug_socket, file_type;
+type uncrypt_socket, file_type;
 type vold_socket, file_type;
 type wpa_socket, file_type;
 type zygote_socket, file_type;

diff --git a/file_contexts b/file_contexts
index e94c95e..c874a94 100644
--- a/file_contexts
+++ b/file_contexts

@@ -116,6 +116,7 @@
 /dev/socket/racoon	u:object_r:racoon_socket:s0
 /dev/socket/rild	u:object_r:rild_socket:s0
 /dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
+/dev/socket/uncrypt	u:object_r:uncrypt_socket:s0
 /dev/socket/vold	u:object_r:vold_socket:s0
 /dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
 /dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0

diff --git a/system_server.te b/system_server.te
index 1dd7a6e..a64646d 100644
--- a/system_server.te
+++ b/system_server.te

@@ -125,6 +125,7 @@
 unix_socket_connect(system_server, gps, gpsd)
 unix_socket_connect(system_server, racoon, racoon)
 unix_socket_send(system_server, wpa, wpa)
+unix_socket_connect(system_server, uncrypt, uncrypt)
 
 # Communicate over a socket created by surfaceflinger.
 allow system_server surfaceflinger:unix_stream_socket { read write setopt };

diff --git a/uncrypt.te b/uncrypt.te
index 354bda0..c8840dd 100644
--- a/uncrypt.te
+++ b/uncrypt.te

@@ -16,10 +16,11 @@
 
 # Read /cache/recovery/command
 # Read /cache/recovery/uncrypt_file
-# Write to pipe file /cache/recovery/uncrypt_status
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
-allow uncrypt cache_recovery_file:fifo_file w_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
 
 # Set a property to reboot the device.
 set_prop(uncrypt, powerctl_prop)