Merge "Only restorecon CE storage after unlocked." into nyc-mr1-dev

init/builtins.cpp

@@ -875,8 +875,12 @@ static int do_restorecon_recursive(const std::vector<std::string>& args) {
     int ret = 0;
 
     for (auto it = std::next(args.begin()); it != args.end(); ++it) {
-        if (restorecon_recursive(it->c_str()) < 0)
+        /* The contents of CE paths are encrypted on FBE devices until user
+         * credentials are presented (filenames inside are mangled), so we need
+         * to delay restorecon of those until vold explicitly requests it. */
+        if (restorecon_recursive_skipce(it->c_str()) < 0) {
             ret = -errno;
+        }
     }
     return ret;
 }

init/util.cpp

@@ -471,6 +471,12 @@ int restorecon_recursive(const char* pathname)
     return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE);
 }
 
+int restorecon_recursive_skipce(const char* pathname)
+{
+    return selinux_android_restorecon(pathname,
+            SELINUX_ANDROID_RESTORECON_RECURSE | SELINUX_ANDROID_RESTORECON_SKIPCE);
+}
+
 /*
  * Writes hex_len hex characters (1/2 byte) to hex from bytes.
  */

init/util.h

@@ -63,6 +63,7 @@ void import_kernel_cmdline(bool in_qemu,
 int make_dir(const char *path, mode_t mode);
 int restorecon(const char *pathname);
 int restorecon_recursive(const char *pathname);
+int restorecon_recursive_skipce(const char *pathname);
 std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len);
 bool is_dir(const char* pathname);
 bool expand_props(const std::string& src, std::string* dst);