From d9a4e06ec59025a32a80b343ef8aa47eb7ddb308 Mon Sep 17 00:00:00 2001
From: Paul Crowley <paulcrowley@google.com>
Date: Thu, 1 Feb 2018 10:15:34 -0800
Subject: [PATCH] Allow vendor_init and e2fs to enable metadata encryption

Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.

Change-Id: Iddbcd05501d360d2adc4edf8ea7ed89816642d26
---
 private/compat/26.0/26.0.ignore.cil |  1 +
 private/e2fs.te                     |  3 --
 public/e2fs.te                      |  6 +++-
 public/file.te                      |  3 ++
 public/vendor_init.te               |  5 +++
 public/vold.te                      | 50 ++++++++++++++++++++++++++---
 6 files changed, 60 insertions(+), 8 deletions(-)
 delete mode 100644 private/e2fs.te

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 7769b65b6..ae0d4e71c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -109,6 +109,7 @@
     usbd_tmpfs
     vendor_init
     vendor_shell
+    vold_metadata_file
     vold_prepare_subdirs
     vold_prepare_subdirs_exec
     vold_service
diff --git a/private/e2fs.te b/private/e2fs.te
deleted file mode 100644
index 2c4c01398..000000000
--- a/private/e2fs.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow e2fs devpts:chr_file { read write };
-allow e2fs metadata_block_device:blk_file rw_file_perms;
-
diff --git a/public/e2fs.te b/public/e2fs.te
index a95512128..6fcd0c2fb 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -1,9 +1,12 @@
 type e2fs, domain, coredomain;
 type e2fs_exec, exec_type, file_type;
 
-allow e2fs block_device:blk_file getattr;
+allow e2fs devpts:chr_file { read write getattr ioctl };
+
+allow e2fs dev_type:blk_file getattr;
 allow e2fs block_device:dir search;
 allow e2fs userdata_block_device:blk_file rw_file_perms;
+allow e2fs metadata_block_device:blk_file rw_file_perms;
 
 allow e2fs {
   proc_filesystems
@@ -12,6 +15,7 @@ allow e2fs {
 }:file r_file_perms;
 
 # access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:dir search;
 allow e2fs sysfs_fs_ext4_features:file r_file_perms;
 
 # access sselinux context files
diff --git a/public/file.te b/public/file.te
index 932ecbf8b..f45de90cb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -149,6 +149,9 @@ type vendor_framework_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/overlay
 type vendor_overlay_file, vendor_file_type, file_type;
 
+# /metadata subdirectories
+type vold_metadata_file, file_type;
+
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
 # Type for /system/bin/logcat.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c56b45cc6..dbb20fd7b 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -38,6 +38,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init {
@@ -48,6 +49,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:file { create getattr open read write setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -57,6 +59,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -66,6 +69,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -74,6 +78,7 @@ allow vendor_init {
   -exec_type
   -system_file
   -vendor_file_type
+  -vold_metadata_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index a490e0643..0107ebd4c 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -172,6 +172,10 @@ allow vold proc_drop_caches:file w_file_perms;
 allow vold vold_data_file:dir create_dir_perms;
 allow vold vold_data_file:file create_file_perms;
 
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
 # linux keyring configuration
 allow vold init:key { write search setattr };
 allow vold vold:key { write search setattr };
@@ -198,10 +202,48 @@ allow vold user_profile_data_file:dir create_dir_perms;
 # Raw writes to misc block device
 allow vold misc_block_device:blk_file w_file_perms;
 
-neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *;
-neverallow { domain -vold -init -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set *;
+neverallow {
+    domain
+    -vold
+    -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+    domain
+    -init
+    -vold
+    -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+    domain
+    -init
+    -vendor_init
+    -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+    domain
+    -kernel
+    -vold
+    -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+    domain
+    -init
+    -vold
+    -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+    domain
+    -init
+    -kernel
+    -vold
+    -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
 # Only system_server and vdc can interact with vold over binder
-- 
GitLab