Merge "Allow vendor_init and e2fs to enable metadata encryption"
am: 5d422a305d
Change-Id: I916b8925fca67ce6cada9e43c83e7936e6e75542
This commit is contained in:
Paul Crowley
android-build-merger
commit
55b3a9d21e
6 changed files with 60 additions and 8 deletions
|
|
@ -109,6 +109,7 @@
|
|||
usbd_tmpfs
|
||||
vendor_init
|
||||
vendor_shell
|
||||
vold_metadata_file
|
||||
vold_prepare_subdirs
|
||||
vold_prepare_subdirs_exec
|
||||
vold_service
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
allow e2fs devpts:chr_file { read write };
|
||||
allow e2fs metadata_block_device:blk_file rw_file_perms;
|
||||
|
||||
|
|
@ -1,9 +1,12 @@
|
|||
type e2fs, domain, coredomain;
|
||||
type e2fs_exec, exec_type, file_type;
|
||||
|
||||
allow e2fs block_device:blk_file getattr;
|
||||
allow e2fs devpts:chr_file { read write getattr ioctl };
|
||||
|
||||
allow e2fs dev_type:blk_file getattr;
|
||||
allow e2fs block_device:dir search;
|
||||
allow e2fs userdata_block_device:blk_file rw_file_perms;
|
||||
allow e2fs metadata_block_device:blk_file rw_file_perms;
|
||||
|
||||
allow e2fs {
|
||||
proc_filesystems
|
||||
|
|
@ -12,6 +15,7 @@ allow e2fs {
|
|||
}:file r_file_perms;
|
||||
|
||||
# access /sys/fs/ext4/features
|
||||
allow e2fs sysfs_fs_ext4_features:dir search;
|
||||
allow e2fs sysfs_fs_ext4_features:file r_file_perms;
|
||||
|
||||
# access sselinux context files
|
||||
|
|
|
|||
|
|
@ -149,6 +149,9 @@ type vendor_framework_file, vendor_file_type, file_type;
|
|||
# Default type for everything in /vendor/overlay
|
||||
type vendor_overlay_file, vendor_file_type, file_type;
|
||||
|
||||
# /metadata subdirectories
|
||||
type vold_metadata_file, file_type;
|
||||
|
||||
# Speedup access for trusted applications to the runtime event tags
|
||||
type runtime_event_log_tags_file, file_type;
|
||||
# Type for /system/bin/logcat.
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ allow vendor_init {
|
|||
-system_file
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
|
||||
|
||||
allow vendor_init {
|
||||
|
|
@ -48,6 +49,7 @@ allow vendor_init {
|
|||
-system_file
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
}:file { create getattr open read write setattr relabelfrom unlink };
|
||||
|
||||
allow vendor_init {
|
||||
|
|
@ -57,6 +59,7 @@ allow vendor_init {
|
|||
-system_file
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
||||
|
||||
allow vendor_init {
|
||||
|
|
@ -66,6 +69,7 @@ allow vendor_init {
|
|||
-system_file
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
}:lnk_file { create getattr setattr relabelfrom unlink };
|
||||
|
||||
allow vendor_init {
|
||||
|
|
@ -74,6 +78,7 @@ allow vendor_init {
|
|||
-exec_type
|
||||
-system_file
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
}:dir_file_class_set relabelto;
|
||||
|
||||
allow vendor_init dev_type:dir create_dir_perms;
|
||||
|
|
|
|||
|
|
@ -172,6 +172,10 @@ allow vold proc_drop_caches:file w_file_perms;
|
|||
allow vold vold_data_file:dir create_dir_perms;
|
||||
allow vold vold_data_file:file create_file_perms;
|
||||
|
||||
# And a similar place in the metadata partition
|
||||
allow vold vold_metadata_file:dir create_dir_perms;
|
||||
allow vold vold_metadata_file:file create_file_perms;
|
||||
|
||||
# linux keyring configuration
|
||||
allow vold init:key { write search setattr };
|
||||
allow vold vold:key { write search setattr };
|
||||
|
|
@ -198,10 +202,48 @@ allow vold user_profile_data_file:dir create_dir_perms;
|
|||
# Raw writes to misc block device
|
||||
allow vold misc_block_device:blk_file w_file_perms;
|
||||
|
||||
neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
||||
neverallow { domain -vold -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
|
||||
neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *;
|
||||
neverallow { domain -vold -init -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set *;
|
||||
neverallow {
|
||||
domain
|
||||
-vold
|
||||
-vold_prepare_subdirs
|
||||
} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-vold
|
||||
-vold_prepare_subdirs
|
||||
} vold_data_file:dir *;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-vendor_init
|
||||
-vold
|
||||
} vold_metadata_file:dir *;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-kernel
|
||||
-vold
|
||||
-vold_prepare_subdirs
|
||||
} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-vold
|
||||
-vold_prepare_subdirs
|
||||
} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-kernel
|
||||
-vold
|
||||
-vold_prepare_subdirs
|
||||
} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
|
||||
|
||||
neverallow { domain -vold -init } restorecon_prop:property_service set;
|
||||
|
||||
# Only system_server and vdc can interact with vold over binder
|
||||
|
|
|
|||
Loading…
Reference in a new issue