Encryptedstore/Selinux: Format the crypt device
Add selinux policies required for formatting the crypt device.
1. Allow encryptedstore to execute mk2fs.
2. The execution will happen without domain transition - so add
permissions related to formatting the device.
3. Allow encryptedstore to write on /dev/vd device - required to zero
starting bits initially
Test: Run vm with --storage & --storage-size option
Bug: 241541860
Change-Id: I9766e3c67e47a58707beee8b3a156944e3b0a9ce
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
index 4bbf657..522f090 100644
--- a/microdroid/system/private/encryptedstore.te
+++ b/microdroid/system/private/encryptedstore.te
@@ -10,10 +10,10 @@
r_dir_file(encryptedstore, block_device)
# encryptedstore accesses /dev/vd* block device file.
-allow encryptedstore vd_device:blk_file r_file_perms;
+allow encryptedstore vd_device:blk_file rw_file_perms;
# allow encryptedstore to create dm-crypt devices
-allow encryptedstore dm_device:{chr_file blk_file} rw_file_perms;
+allow encryptedstore dm_device:{ chr_file blk_file } rw_file_perms;
# sys_admin is required to access the device-mapper and mount
allow encryptedstore self:global_capability_class_set sys_admin;
@@ -21,8 +21,27 @@
# encryptedstore is forked from microdroid_manager
allow encryptedstore microdroid_manager:fd use;
+# For formatting encrypted storage device
+allow encryptedstore e2fs_exec:file { rx_file_perms };
+allowxperm encryptedstore dm_device:blk_file ioctl {
+ BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKDISCARD
+};
+
+# access /sys/fs/ext4/features - required because encryptedstore runs mkfs.ext4 in its own domain
+allow encryptedstore sysfs_fs_ext4_features:dir search;
+allow encryptedstore sysfs_fs_ext4_features:file r_file_perms;
+
+# encryptedstore to mount on /mnt/ directory
+allow encryptedstore tmpfs:dir { add_name create mounton write };
+
+# Unmount and mount filesystem
+allow encryptedstore labeledfs:filesystem { mount unmount };
+
# allow encryptedstore to log to the kernel
allow encryptedstore kmsg_device:chr_file w_file_perms;
+# Allow encryptedstore to write kmsg_debug (stdio_to_kmsg).
+allow encryptedstore kmsg_debug_device:chr_file w_file_perms;
+
# Only microdroid_manager can run encryptedstore
neverallow { domain -microdroid_manager } encryptedstore:process { transition dyntransition };
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index d15f9ba..b94571d 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -17,3 +17,6 @@
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
# property labeled.
type sepolicy_test_file, file_type;
+
+# /system/bin/mke2fs - used to format encryptedstore block device
+type e2fs_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 489072f..8d34fb4 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -122,6 +122,7 @@
/system/bin/authfs u:object_r:authfs_exec:s0
/system/bin/authfs_service u:object_r:authfs_service_exec:s0
/system/bin/encryptedstore u:object_r:encryptedstore_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0