Merge "Allow vendor_init and e2fs to enable metadata encryption"

am: 5d422a30

Change-Id: I916b8925fca67ce6cada9e43c83e7936e6e75542

private/compat/26.0/26.0.ignore.cil

@@ -109,6 +109,7 @@
     usbd_tmpfs
     vendor_init
     vendor_shell
+    vold_metadata_file
     vold_prepare_subdirs
     vold_prepare_subdirs_exec
     vold_service

private/e2fs.te

-allow e2fs devpts:chr_file { read write };
-allow e2fs metadata_block_device:blk_file rw_file_perms;
-

public/e2fs.te

 type e2fs, domain, coredomain;
 type e2fs_exec, exec_type, file_type;
 
-allow e2fs block_device:blk_file getattr;
+allow e2fs devpts:chr_file { read write getattr ioctl };
+
+allow e2fs dev_type:blk_file getattr;
 allow e2fs block_device:dir search;
 allow e2fs userdata_block_device:blk_file rw_file_perms;
+allow e2fs metadata_block_device:blk_file rw_file_perms;
 
 allow e2fs {
   proc_filesystems
@@ -12,6 +15,7 @@ allow e2fs {
 }:file r_file_perms;
 
 # access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:dir search;
 allow e2fs sysfs_fs_ext4_features:file r_file_perms;
 
 # access sselinux context files

public/file.te

@@ -149,6 +149,9 @@ type vendor_framework_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/overlay
 type vendor_overlay_file, vendor_file_type, file_type;
 
+# /metadata subdirectories
+type vold_metadata_file, file_type;
+
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
 # Type for /system/bin/logcat.

public/vendor_init.te

@@ -38,6 +38,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init {
@@ -48,6 +49,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:file { create getattr open read write setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -57,6 +59,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -66,6 +69,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -74,6 +78,7 @@ allow vendor_init {
   -exec_type
   -system_file
   -vendor_file_type
+  -vold_metadata_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;

public/vold.te

@@ -172,6 +172,10 @@ allow vold proc_drop_caches:file w_file_perms;
 allow vold vold_data_file:dir create_dir_perms;
 allow vold vold_data_file:file create_file_perms;
 
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
 # linux keyring configuration
 allow vold init:key { write search setattr };
 allow vold vold:key { write search setattr };
@@ -198,10 +202,48 @@ allow vold user_profile_data_file:dir create_dir_perms;
 # Raw writes to misc block device
 allow vold misc_block_device:blk_file w_file_perms;
 
-neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *;
-neverallow { domain -vold -init -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set *;
+neverallow {
+    domain
+    -vold
+    -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+    domain
+    -init
+    -vold
+    -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+    domain
+    -init
+    -vendor_init
+    -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+    domain
+    -kernel
+    -vold
+    -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+    domain
+    -init
+    -vold
+    -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+    domain
+    -init
+    -kernel
+    -vold
+    -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
 # Only system_server and vdc can interact with vold over binder