Adding e4crypt support
Add selinux rules to allow file level encryption to work Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
This commit is contained in:
Paul Lawrence
parent
85ce2c706e
commit
38af1da107
5 changed files with 20 additions and 0 deletions
|
|
@ -92,6 +92,7 @@ allow domain alarm_device:chr_file r_file_perms;
|
|||
allow domain urandom_device:chr_file rw_file_perms;
|
||||
allow domain random_device:chr_file rw_file_perms;
|
||||
allow domain properties_device:file r_file_perms;
|
||||
allow domain init:key search;
|
||||
|
||||
# logd access
|
||||
write_logd(domain)
|
||||
|
|
|
|||
2
file.te
2
file.te
|
|
@ -49,6 +49,8 @@ type logcat_exec, exec_type, file_type;
|
|||
type coredump_file, file_type;
|
||||
# Default type for anything under /data.
|
||||
type system_data_file, file_type, data_file_type;
|
||||
# Unencrypted data
|
||||
type unencrypted_data_file, file_type, data_file_type;
|
||||
# /data/.layout_version or other installd-created files that
|
||||
# are created in a system_data_file directory.
|
||||
type install_data_file, file_type, data_file_type;
|
||||
|
|
|
|||
|
|
@ -188,6 +188,7 @@
|
|||
#
|
||||
/data(/.*)? u:object_r:system_data_file:s0
|
||||
/data/.layout_version u:object_r:install_data_file:s0
|
||||
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
|
||||
/data/backup(/.*)? u:object_r:backup_data_file:s0
|
||||
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
|
||||
/data/security(/.*)? u:object_r:security_file:s0
|
||||
|
|
|
|||
12
init.te
12
init.te
|
|
@ -234,6 +234,18 @@ allow init metadata_block_device:blk_file rw_file_perms;
|
|||
allow init pstorefs:dir search;
|
||||
allow init pstorefs:file r_file_perms;
|
||||
|
||||
# linux keyring configuration
|
||||
allow init init:key { write search setattr };
|
||||
|
||||
# Allow init to link temp fs to unencrypted data on userdata
|
||||
allow init tmpfs:lnk_file { create read getattr relabelfrom };
|
||||
|
||||
# Allow init to manipulate /data/unencrypted
|
||||
allow init unencrypted_data_file:{ file lnk_file } create_file_perms;
|
||||
allow init unencrypted_data_file:dir create_dir_perms;
|
||||
|
||||
unix_socket_connect(init, vold, vold)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
4
vold.te
4
vold.te
|
|
@ -101,3 +101,7 @@ allow vold userdata_block_device:blk_file rw_file_perms;
|
|||
|
||||
# Access metadata block device used for encryption meta-data.
|
||||
allow vold metadata_block_device:blk_file rw_file_perms;
|
||||
|
||||
# Allow init to manipulate /data/unencrypted
|
||||
allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
|
||||
allow vold unencrypted_data_file:dir create_dir_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue