From 96eeb1ecb3980e34a5f9ed1a4afd8ffa6ada0cf0 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 19 Feb 2014 13:33:32 -0800
Subject: [PATCH] initial policy for uncrypt.

Add initial support for uncrypt, started via the
pre-recovery service in init.rc. On an encrypted device,
uncrypt reads an OTA zip file on /data, opens the underlying
block device, and writes the unencrypted blocks on top of the
encrypted blocks. This allows recovery, which can't normally
read encrypted partitions, to reconstruct the OTA image and apply
the update as normal.

Add an exception to the neverallow rule for sys_rawio. This is
needed to support writing to the raw block device.

Add an exception to the neverallow rule for unlabeled block devices.
The underlying block device for /data varies between devices
within the same family (for example, "flo" vs "deb"), and the existing
per-device file_context labeling isn't sufficient to cover these
differences. Until I can resolve this problem, allow access to any
block devices.

Bug: 13083922
Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
---
 domain.te     |  4 ++--
 file_contexts |  1 +
 uncrypt.te    | 25 +++++++++++++++++++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 uncrypt.te

diff --git a/domain.te b/domain.te
index 5ac6b460f..1fb2ef8b9 100644
--- a/domain.te
+++ b/domain.te
@@ -159,7 +159,7 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
 
 # Limit device node creation and raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold } self:capability { sys_rawio mknod };
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
 
 # No domain needs mac_override as it is unused by SELinux.
 neverallow domain self:capability2 mac_override;
@@ -203,7 +203,7 @@ neverallow domain init:binder call;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/file_contexts b/file_contexts
index d4315b031..81698d1ef 100644
--- a/file_contexts
+++ b/file_contexts
@@ -150,6 +150,7 @@
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
+/system/bin/uncrypt     u:object_r:uncrypt_exec:s0
 #############################
 # Vendor files
 #
diff --git a/uncrypt.te b/uncrypt.te
new file mode 100644
index 000000000..aea666848
--- /dev/null
+++ b/uncrypt.te
@@ -0,0 +1,25 @@
+# uncrypt
+type uncrypt, domain;
+type uncrypt_exec, exec_type, file_type;
+
+init_daemon_domain(uncrypt)
+permissive_or_unconfined(uncrypt)
+
+allow uncrypt self:capability dac_override;
+
+# Read OTA zip file from /data/data/com.google.android.gsf/app_download
+r_dir_file(uncrypt, app_data_file)
+
+# Create tmp file /cache/recovery/command.tmp
+# Read /cache/recovery/command
+# Rename /cache/recovery/command.tmp to /cache/recovery/command
+allow uncrypt cache_file:dir rw_dir_perms;
+allow uncrypt cache_file:file create_file_perms;
+
+# Set a property to reboot the device.
+unix_socket_connect(uncrypt, property, init)
+allow uncrypt powerctl_prop:property_service set;
+
+# Raw writes to block device
+allow uncrypt self:capability sys_rawio;
+allow uncrypt block_device:blk_file w_file_perms;
-- 
GitLab