Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Blame Permalink
  • Stephen Smalley's avatar
    273d7ea4
    Label block devices created or accessed by vold with specific types. · 273d7ea4
    Stephen Smalley authored 
    
Assign a more specific type than block_device to all
block devices created or accessed by vold.   Allow vold
to set the context on the device nodes it creates.

vold can create extra loop devices (/dev/block/loopN) and
block devices for volumes it manages (/dev/block/vold/M:N).

vold can read/write device mapper block devices (/dev/block/dm-N)
created for encrypted volumes.

vold can read/write metadata partitions used to store encryption metadata.
The metadata_block_device type should be assigned in device-specific
policy to the partition specified by the encryptable= mount option
for the userata entry in the fstab.<board> file.

This change does not remove the ability to create or read/write
generic block_device devices by vold, so it should not break anything.
It does add an auditallow statement on such accesses so that we can track
remaining cases where we need to label such device nodes so that we can
ultimately remove this access.

Change-Id: Id3bea28f5958086716cd3db055bea309b3b5fa5a
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    273d7ea4
    History
    Label block devices created or accessed by vold with specific types.
    Stephen Smalley authored 
    
Assign a more specific type than block_device to all
block devices created or accessed by vold.   Allow vold
to set the context on the device nodes it creates.

vold can create extra loop devices (/dev/block/loopN) and
block devices for volumes it manages (/dev/block/vold/M:N).

vold can read/write device mapper block devices (/dev/block/dm-N)
created for encrypted volumes.

vold can read/write metadata partitions used to store encryption metadata.
The metadata_block_device type should be assigned in device-specific
policy to the partition specified by the encryptable= mount option
for the userata entry in the fstab.<board> file.

This change does not remove the ability to create or read/write
generic block_device devices by vold, so it should not break anything.
It does add an auditallow statement on such accesses so that we can track
remaining cases where we need to label such device nodes so that we can
ultimately remove this access.

Change-Id: Id3bea28f5958086716cd3db055bea309b3b5fa5a
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>