Different blkid and fsck execution domains.
vold works with two broad classes of block devices: untrusted devices
that come in from the wild, and trusted devices like PrivateVolume
which are encrypted.
When running blkid and fsck, we pick which SELinux execution domain
to use based on which class the device belongs to.
Bug: 19993667
Change-Id: I2695f028710a4863f0c3b2ed6da437f466401272
diff --git a/Ext4.cpp b/Ext4.cpp
index 42d6cd3..7316234 100644
--- a/Ext4.cpp
+++ b/Ext4.cpp
@@ -37,10 +37,12 @@
#define LOG_TAG "Vold"
+#include <base/logging.h>
#include <base/stringprintf.h>
#include <cutils/log.h>
#include <cutils/properties.h>
#include <logwrap/logwrap.h>
+#include <selinux/selinux.h>
#include "Ext4.h"
#include "Utils.h"
@@ -110,8 +112,17 @@
} else {
ALOGD("Running %s on %s\n", kFsckPath, blk_device);
+ // Ext4 devices are currently always trusted
+ if (setexeccon(android::vold::sFsckContext)) {
+ LOG(ERROR) << "Failed to setexeccon()";
+ errno = EPERM;
+ return -1;
+ }
ret = android_fork_execvp(ARRAY_SIZE(e2fsck_argv), e2fsck_argv,
&status, false, true);
+ if (setexeccon(NULL)) {
+ abort();
+ }
if (ret < 0) {
/* No need to check for error in fork, we can't really handle it now */