From f37ce3f3e2ad68da61f709567cd166a83316e3f3 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Mon, 8 Sep 2014 13:11:01 -0700
Subject: [PATCH] Add support for factory reset protection.

Address the following denials:
<12>[  417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[  417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

(cherrypick of commit 47bd7300a522fb9c7e233b6d040533ad16708a0e)

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53
---
 device.te        | 4 ++--
 domain.te        | 2 ++
 system_server.te | 6 +++---
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/device.te b/device.te
index 9ca072f38..adee1d7bf 100644
--- a/device.te
+++ b/device.te
@@ -65,5 +65,5 @@ type rpmsg_device, dev_type;
 # Partition layout block device
 type root_block_device, dev_type;
 
-# Persistent data block device
-type persistent_data_block_device, dev_type;
+# factory reset protection block device
+type frp_block_device, dev_type;
diff --git a/domain.te b/domain.te
index e80a1d957..a3dd21743 100644
--- a/domain.te
+++ b/domain.te
@@ -311,3 +311,5 @@ neverallow domain default_android_service:service_manager add;
 # Require that domains explicitly label unknown properties, and do not allow
 # anyone but init to modify unknown properties.
 neverallow { domain -init } default_prop:property_service set;
+
+neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
diff --git a/system_server.te b/system_server.te
index 438d09d58..020f2ab0c 100644
--- a/system_server.te
+++ b/system_server.te
@@ -386,10 +386,10 @@ allow system_server keystore:keystore_key {
 	password_uid
 };
 
-# Allow system server to search and write to the persistent data block device
-# This block device does not get wiped in a factory reset.
-allow system_server persistent_data_block_device:blk_file rw_file_perms;
+# Allow system server to search and write to the persistent factory reset
+# protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;
+allow system_server frp_block_device:blk_file rw_file_perms;
 
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };
-- 
GitLab