From 4423ecdb093abefecfc208824f2ae9d66eeae873 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Tue, 31 Mar 2015 15:03:13 -0700
Subject: [PATCH] Directory for vold to store private data.

Creates new directory at /data/misc/vold for storing key material
on internal storage.  Only vold should have access to this label.

Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
---
 file.te       |  1 +
 file_contexts |  1 +
 init.te       | 13 +++++++++----
 vold.te       |  9 +++++++++
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/file.te b/file.te
index 782fae70f..bbfd665c8 100644
--- a/file.te
+++ b/file.te
@@ -110,6 +110,7 @@ type systemkeys_data_file, file_type, data_file_type;
 type vpn_data_file, file_type, data_file_type;
 type wifi_data_file, file_type, data_file_type;
 type zoneinfo_data_file, file_type, data_file_type;
+type vold_data_file, file_type, data_file_type;
 
 # Compatibility with type names used in vanilla Android 4.3 and 4.4.
 typealias audio_data_file alias audio_firmware_file;
diff --git a/file_contexts b/file_contexts
index 92b8d3230..e20638e38 100644
--- a/file_contexts
+++ b/file_contexts
@@ -236,6 +236,7 @@
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
+/data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
diff --git a/init.te b/init.te
index 909490d30..78f460a4d 100644
--- a/init.te
+++ b/init.te
@@ -82,10 +82,10 @@ allow init rootfs:file relabelfrom;
 # we just allow all file types except /system files here.
 allow init self:capability { chown fowner fsetid };
 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
 allow init sysfs_type:{ dir file lnk_file } relabelto;
@@ -156,6 +156,11 @@ allow init domain:process sigkill;
 allow init keystore_data_file:dir { open create read getattr setattr search };
 allow init keystore_data_file:file { getattr };
 
+# Init creates vold's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init vold_data_file:dir { open create read getattr setattr search };
+allow init vold_data_file:file { getattr };
+
 # Init creates /data/local/tmp at boot
 allow init shell_data_file:dir { open create read getattr setattr search };
 allow init shell_data_file:file { getattr };
diff --git a/vold.te b/vold.te
index 0a42b2db0..c2bd06487 100644
--- a/vold.te
+++ b/vold.te
@@ -129,3 +129,12 @@ allow vold metadata_block_device:blk_file rw_file_perms;
 # Allow init to manipulate /data/unencrypted
 allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
 allow vold unencrypted_data_file:dir create_dir_perms;
+
+# Give vold a place where only vold can store files; everyone else is off limits
+allow vold vold_data_file:dir rw_dir_perms;
+allow vold vold_data_file:file create_file_perms;
+
+neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
+neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -vold -init } vold_data_file:dir *;
+neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;