From 3ee85ca6aaeba3b860b9278c73e20c7018861b59 Mon Sep 17 00:00:00 2001
From: Paul Lawrence <paullawrence@google.com>
Date: Tue, 28 Apr 2015 19:16:22 +0000
Subject: [PATCH] Revert "Securely encrypt the master key"

This reverts commit 5287d9a8e5b137a5e0be884e622a35e0b6afe1ab.

Change-Id: I9ec0db0718da7088dc2b66f5b1749b8fb069575a
---
 domain.te | 1 -
 init.te   | 6 +++++-
 vold.te   | 8 ++------
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/domain.te b/domain.te
index 44612414f..7bc2292d5 100644
--- a/domain.te
+++ b/domain.te
@@ -93,7 +93,6 @@ allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
 allow domain properties_device:file r_file_perms;
 allow domain init:key search;
-allow domain vold:key search;
 
 # logd access
 write_logd(domain)
diff --git a/init.te b/init.te
index 89ddac79e..9f624ba77 100644
--- a/init.te
+++ b/init.te
@@ -257,7 +257,11 @@ allow init pstorefs:file r_file_perms;
 # linux keyring configuration
 allow init init:key { write search setattr };
 
-# Allow init to create /data/unencrypted
+# Allow init to link temp fs to unencrypted data on userdata
+allow init tmpfs:lnk_file { create read getattr relabelfrom };
+
+# Allow init to manipulate /data/unencrypted
+allow init unencrypted_data_file:{ file lnk_file } create_file_perms;
 allow init unencrypted_data_file:dir create_dir_perms;
 
 unix_socket_connect(init, vold, vold)
diff --git a/vold.te b/vold.te
index 2cbb306d1..e72822c93 100644
--- a/vold.te
+++ b/vold.te
@@ -143,18 +143,14 @@ allow vold userdata_block_device:blk_file rw_file_perms;
 # Access metadata block device used for encryption meta-data.
 allow vold metadata_block_device:blk_file rw_file_perms;
 
-# Allow vold to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file } create_file_perms;
+# Allow init to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
 allow vold unencrypted_data_file:dir create_dir_perms;
 
 # Give vold a place where only vold can store files; everyone else is off limits
 allow vold vold_data_file:dir rw_dir_perms;
 allow vold vold_data_file:file create_file_perms;
 
-# linux keyring configuration
-allow vold init:key { write search setattr };
-allow vold vold:key { write search setattr };
-
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
-- 
GitLab