sepolicy: Add domain for mkfs binaries
The init binary must transition to another domain when calling out to
executables. Create the mkfs domain for mkfs.f2fs such that init can
transition to it when formatting userdata/cache partitions if the
"formattable" flag is set.
[micky387] Change our context to this new because fsck_exec cause Selinux denial
when we try to format an Sdcard.
W binder:659_2: type=1400 audit(0.0:447): avc: denied { execute_no_trans } for path="/system/bin/mkfs.exfat" dev="dm-5" ino=445 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file permissive=0
https://github.com/omnirom/android_system_sepolicy/blob/android-13.0/public/vold.te#L341
Change-Id: I1046782386d171a59b1a3c5441ed265dc0824977
diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
index 88b7ab1..297212f 100644
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@@ -7,4 +7,4 @@
/sys/block/[^/]+/queue/scheduler u:object_r:sysfs_block_scheduler:s0
/system/bin/fsck\.ntfs u:object_r:fsck_exec:s0
-/system/bin/mkfs\.exfat u:object_r:fsck_exec:s0
+/system/bin/mkfs\.exfat u:object_r:mkfs_exec:s0
diff --git a/sepolicy/private/mkfs.te b/sepolicy/private/mkfs.te
new file mode 100644
index 0000000..dbd97b8
--- /dev/null
+++ b/sepolicy/private/mkfs.te
@@ -0,0 +1,9 @@
+type mkfs, coredomain, domain;
+type mkfs_exec, exec_type, file_type;
+
+init_daemon_domain(mkfs)
+
+# Allow formatting userdata or cache partitions
+allow mkfs block_device:dir search;
+allow mkfs userdata_block_device:blk_file rw_file_perms;
+allow mkfs cache_block_device:blk_file rw_file_perms;