From e2c0c9de7b99ed5cd2349e0585284fd6a0ad768a Mon Sep 17 00:00:00 2001
From: Paul Lawrence <paullawrence@google.com>
Date: Tue, 28 Apr 2015 22:06:29 +0000
Subject: [PATCH] DO NOT MERGE Securely encrypt the master key

(chery-picked from commit 13dec5fa5b860871afea47f85842706095e40527)

Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
---
 domain.te | 1 +
 init.te   | 6 +-----
 vold.te   | 8 ++++++--
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/domain.te b/domain.te
index bf3295c83..fc4cfd85a 100644
--- a/domain.te
+++ b/domain.te
@@ -93,6 +93,7 @@ allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
 allow domain properties_device:file r_file_perms;
 allow domain init:key search;
+allow domain vold:key search;
 
 # logd access
 write_logd(domain)
diff --git a/init.te b/init.te
index 9f624ba77..89ddac79e 100644
--- a/init.te
+++ b/init.te
@@ -257,11 +257,7 @@ allow init pstorefs:file r_file_perms;
 # linux keyring configuration
 allow init init:key { write search setattr };
 
-# Allow init to link temp fs to unencrypted data on userdata
-allow init tmpfs:lnk_file { create read getattr relabelfrom };
-
-# Allow init to manipulate /data/unencrypted
-allow init unencrypted_data_file:{ file lnk_file } create_file_perms;
+# Allow init to create /data/unencrypted
 allow init unencrypted_data_file:dir create_dir_perms;
 
 unix_socket_connect(init, vold, vold)
diff --git a/vold.te b/vold.te
index 1a1913e04..6a8d82f0f 100644
--- a/vold.te
+++ b/vold.te
@@ -140,8 +140,8 @@ allow vold userdata_block_device:blk_file rw_file_perms;
 # Access metadata block device used for encryption meta-data.
 allow vold metadata_block_device:blk_file rw_file_perms;
 
-# Allow init to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
 allow vold unencrypted_data_file:dir create_dir_perms;
 
 # Write to /proc/sys/vm/drop_caches
@@ -151,6 +151,10 @@ allow vold proc_drop_caches:file w_file_perms;
 allow vold vold_data_file:dir create_dir_perms;
 allow vold vold_data_file:file create_file_perms;
 
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
-- 
GitLab