commit ffe786ebd74d86af0c46a19dcc568306b3f54aa3
author Yo Chiang <yochiang@google.com> Wed Oct 07 13:59:52 2020 +0800
committer Yo Chiang <yochiang@google.com> Fri Oct 23 20:30:00 2020 +0800
tree 2190ea147a8938ea845913a149ff5d8a837392cd
parent c1eb80e302f3a23c9dbbea8ab1fa8a972ff8bf30

Allow gsid to find and binder-call vold

Bug: 168571434
Test: 1. Install a DSU system.
  2. Boot the DSU system and reboot back to the host system.
  3. Wipe the DSU installation.
  4. DSU metadata key dir /metadata/vold/metadata_encryption/dsu/dsu is
     destroyed.
Change-Id: I229a02abb7bd1f070bb078bdaf89fb27cc4bfa47

private/gsid.te

diff --git a/private/gsid.te b/private/gsid.te
index 3d91eb8..fe1d08e 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -9,6 +9,11 @@
 binder_use(gsid)
 binder_service(gsid)
 add_service(gsid, gsi_service)
+
+# Manage DSU metadata encryption key through vold.
+allow gsid vold_service:service_manager find;
+binder_call(gsid, vold)
+
 set_prop(gsid, gsid_prop)
 
 # Needed to create/delete device-mapper nodes, and read/write to them.

private/vold.te

diff --git a/private/vold.te b/private/vold.te
index 0f464a9..09388f1 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -44,3 +44,12 @@
     use
 };
 
+neverallow {
+    domain
+    -system_server
+    -vdc
+    -vold
+    -update_verifier
+    -apexd
+    -gsid
+} vold_service:service_manager find;

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 33fc620..078de23 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -333,15 +333,6 @@
 
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
-neverallow {
-    domain
-    -system_server
-    -vdc
-    -vold
-    -update_verifier
-    -apexd
-} vold_service:service_manager find;
-
 neverallow vold {
   domain
   -hal_health_storage_server