From 47f3ed09d222ee126cf2fe23b5fe15cd0b64520e Mon Sep 17 00:00:00 2001
From: Paul Crowley <paulcrowley@google.com>
Date: Fri, 13 Oct 2017 14:54:32 -0700
Subject: [PATCH] vold_prepare_subdirs sets policy in vold-created dirs.

Bug: 25861755
Test: Boot device, observe logs
Change-Id: I6c13430d42e9794003eb48e6ca219b874112b900
---
 private/compat/26.0/26.0.ignore.cil |  2 ++
 private/file_contexts               |  5 +++++
 private/vold_prepare_subdirs.te     |  1 +
 public/vold.te                      |  2 +-
 public/vold_prepare_subdirs.te      | 18 ++++++++++++++++++
 5 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 private/vold_prepare_subdirs.te
 create mode 100644 public/vold_prepare_subdirs.te

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1f2d82348..2cb4d09ef 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -33,6 +33,8 @@
     thermalserviced_tmpfs
     timezone_service
     tombstoned_java_trace_socket
+    vold_prepare_subdirs
+    vold_prepare_subdirs_exec
     vold_service
     wpantund
     wpantund_exec
diff --git a/private/file_contexts b/private/file_contexts
index a98171477..fb6099d69 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -271,6 +271,7 @@
 /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 /system/bin/adbd                 u:object_r:adbd_exec:s0
+/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
 
 #############################
 # Vendor files
@@ -431,6 +432,10 @@
 # User icon files
 /data/system/users/[0-9]+/photo.png             u:object_r:icon_file:s0
 
+# vold per-user data
+/data/misc_de/[0-9]+/vold(/.*)?           u:object_r:vold_data_file:s0
+/data/misc_ce/[0-9]+/vold(/.*)?           u:object_r:vold_data_file:s0
+
 #############################
 # efs files
 #
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
new file mode 100644
index 000000000..c2146f91a
--- /dev/null
+++ b/private/vold_prepare_subdirs.te
@@ -0,0 +1 @@
+domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
diff --git a/public/vold.te b/public/vold.te
index a569f9ebd..10d3474c5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -200,7 +200,7 @@ allow vold misc_block_device:blk_file w_file_perms;
 
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init } vold_data_file:dir *;
+neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *;
 neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te
new file mode 100644
index 000000000..ddb588238
--- /dev/null
+++ b/public/vold_prepare_subdirs.te
@@ -0,0 +1,18 @@
+# SELinux directory creation and labelling for vold-managed directories
+
+type vold_prepare_subdirs, domain;
+type vold_prepare_subdirs_exec, exec_type, file_type;
+
+typeattribute vold_prepare_subdirs coredomain;
+
+allow vold_prepare_subdirs system_file:file execute_no_trans;
+allow vold_prepare_subdirs shell_exec:file rx_file_perms;
+allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
+allow vold_prepare_subdirs devpts:chr_file { ioctl read write };
+allow vold_prepare_subdirs vold:fd use;
+allow vold_prepare_subdirs vold:fifo_file { read write };
+allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
+allow vold_prepare_subdirs self:capability dac_override;
+allow vold_prepare_subdirs self:process setfscreate;
+allow vold_prepare_subdirs system_data_file:dir { add_name write };
+allow vold_prepare_subdirs vold_data_file:dir { create getattr setattr };
-- 
GitLab