From ab318e30d3dcfa0a7ab7a21c48fe395579732332 Mon Sep 17 00:00:00 2001
From: Paul Crowley <paulcrowley@google.com>
Date: Tue, 12 Dec 2017 10:30:09 -0800
Subject: [PATCH] Allow access to the metadata partition for metadata
 encryption.

Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.
Change-Id: Id425c47d48f413d6ea44ed170835a52d0af39f9f
---
 private/e2fs.te  |  3 +++
 private/fsck.te  |  2 ++
 public/domain.te | 10 ++++++++--
 public/fsck.te   |  1 -
 4 files changed, 13 insertions(+), 3 deletions(-)
 create mode 100644 private/e2fs.te

diff --git a/private/e2fs.te b/private/e2fs.te
new file mode 100644
index 000000000..2c4c01398
--- /dev/null
+++ b/private/e2fs.te
@@ -0,0 +1,3 @@
+allow e2fs devpts:chr_file { read write };
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+
diff --git a/private/fsck.te b/private/fsck.te
index 3a36329f7..f8e09b645 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,5 @@
 typeattribute fsck coredomain;
 
 init_daemon_domain(fsck)
+
+allow fsck metadata_block_device:blk_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 76318ecf1..cffe5cdae 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -556,8 +556,14 @@ neverallow {
 # The metadata block device is set aside for device encryption and
 # verified boot metadata. It may be reset at will and should not
 # be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
-  { append link rename write open read ioctl lock };
+neverallow {
+  domain
+  -init
+  -recovery
+  -vold
+  -e2fs
+  -fsck
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
 
 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
diff --git a/public/fsck.te b/public/fsck.te
index 7cc7e8b18..c5219d8ab 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -44,7 +44,6 @@ allow fsck rootfs:dir r_dir_perms;
 neverallow fsck {
   boot_block_device
   frp_block_device
-  metadata_block_device
   recovery_block_device
   root_block_device
   swap_block_device
-- 
GitLab