From 3e1dc57bf4f4aed2c117e2a743c59e3076f57338 Mon Sep 17 00:00:00 2001
From: Alfred Piccioni <alpic@google.com>
Date: Thu, 3 Nov 2022 15:41:59 +0100
Subject: [PATCH] Add NTFS support in sepolicy.

This CR, when paired with a functional NTFS implementation and the
corresponding vold updates, will allow NTFS USB drives to be mounted
on Android.

Bug: 254407246

Test: Extensive testing with NTFS USB drives.
Change-Id: I259882854ac40783f6d1cf511e8313b1d5a04eef
---
 private/compat/33.0/33.0.ignore.cil | 1 +
 private/file_contexts               | 1 +
 private/genfs_contexts              | 1 +
 public/file.te                      | 1 +
 public/hal_configstore.te           | 4 ++--
 5 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index a5d5f9832..a58129e18 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -22,6 +22,7 @@
     hal_wifi_service
     healthconnect_service
     keystore_config_prop
+    ntfs
     permissive_mte_prop
     prng_seeder
     servicemanager_prop
diff --git a/private/file_contexts b/private/file_contexts
index 4deecf714..72fae6227 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -230,6 +230,7 @@
 /system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
 /system/bin/fsck\.exfat	--	u:object_r:fsck_exec:s0
 /system/bin/fsck\.f2fs	--	u:object_r:fsck_exec:s0
+/system/bin/ntfsfix	--	u:object_r:fsck_exec:s0
 /system/bin/init		u:object_r:init_exec:s0
 # TODO(/123600489): merge mini-keyctl into toybox
 /system/bin/mini-keyctl	--	u:object_r:toolbox_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 65784709c..29d856140 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -385,6 +385,7 @@ genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
 genfscon binder / u:object_r:binderfs:s0
 genfscon exfat / u:object_r:exfat:s0
+genfscon ntfs / u:object_r:ntfs:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0
diff --git a/public/file.te b/public/file.te
index eb5521085..8d33a9d3d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -157,6 +157,7 @@ type fuse, fusefs_type, fs_type, mlstrustedobject;
 type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 type exfat, sdcard_type, fs_type, mlstrustedobject;
+type ntfs, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 886286e85..7d4d150c3 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -49,11 +49,11 @@ neverallow hal_configstore_server {
 # Should never need sdcard access
 neverallow hal_configstore_server {
     sdcard_type
-    fuse sdcardfs vfat exfat        # manual expansion for completeness
+    fuse sdcardfs vfat exfat ntfs     # manual expansion for completeness
 }:dir ~getattr;
 neverallow hal_configstore_server {
     sdcard_type
-    fuse sdcardfs vfat exfat        # manual expansion for completeness
+    fuse sdcardfs vfat exfat ntfs     # manual expansion for completeness
 }:file *;
 
 # Do not permit access to service_manager and vndservice_manager