Merge "Allow access to the metadata partition for metadata encryption."

68e31786 · Paul Crowley · Gerrit Code Review · 64271de1 · ab318e30 · 68e31786
Commit 68e31786 authored 7 years ago by Paul Crowley Committed by Gerrit Code Review 7 years ago
--- a/private/e2fs.te
+++ b/private/e2fs.te
+allow e2fs devpts:chr_file { read write };
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+
--- a/private/fsck.te
+++ b/private/fsck.te
 typeattribute fsck coredomain;

 init_daemon_domain(fsck)
+
+allow fsck metadata_block_device:blk_file rw_file_perms;
--- a/public/domain.te
+++ b/public/domain.te
@@ -556,8 +556,14 @@ neverallow {
 # The metadata block device is set aside for device encryption and
 # verified boot metadata. It may be reset at will and should not
 # be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
-  { append link rename write open read ioctl lock };
+neverallow {
+  domain
+  -init
+  -recovery
+  -vold
+  -e2fs
+  -fsck
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };

 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };

--- a/public/fsck.te
+++ b/public/fsck.te
@@ -44,7 +44,6 @@ allow fsck rootfs:dir r_dir_perms;
 neverallow fsck {
  boot_block_device
  frp_block_device
-  metadata_block_device
  recovery_block_device
  root_block_device
  swap_block_device