From 5b2b0472798a14645db1b856ddb61a9e5053eac2 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Fri, 23 Jun 2017 16:30:24 -0600
Subject: [PATCH] Let vold execute mke2fs.

When adopting SD cards, vold partitions and formats those devices;
this had been working fine with the older make_ext4fs utility, but
newer devices are switching over to mke2fs, which has a different
SELinux label.

avc: denied { execute } for name="mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1
avc: denied { getattr } for path="/system/bin/mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1

Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 36757864, 37436961
Change-Id: Ifb96dfca076ea58650eb32f89e850f20ae2ac102
---
 public/vold.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/public/vold.te b/public/vold.te
index 81ee28c47..836db5fda 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -28,6 +28,9 @@ allow vold self:process setexec;
 # For sgdisk launched through popen()
 allow vold shell_exec:file rx_file_perms;
 
+# For formatting adoptable storage devices
+allow vold e2fs_exec:file rx_file_perms;
+
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
-- 
GitLab