Remove some FDE rules and update comments
Now that FDE (Full Disk Encryption) is no longer supported, the SELinux policy doesn't need to support it. Remove two rules that are no longer needed. Also update some comments that implied that other rules were needed only because of FDE support, when actually they are still needed for other reasons. Finally, fix some outdated documentation links. Bug: 208476087 Change-Id: I4e03dead91d34fcefdfcdc68d44dd97f433d6eaf
This commit is contained in:
Eric Biggers
parent
791567ece6
commit
9bf0a0c141
5 changed files with 16 additions and 26 deletions
|
|
@ -24,7 +24,6 @@ get_prop(vold, storage_config_prop);
|
|||
get_prop(vold, incremental_prop);
|
||||
get_prop(vold, gsid_prop);
|
||||
|
||||
set_prop(vold, vold_post_fs_data_prop)
|
||||
set_prop(vold, vold_prop)
|
||||
set_prop(vold, vold_status_prop)
|
||||
set_prop(vold, powerctl_prop)
|
||||
|
|
|
|||
|
|
@ -79,36 +79,35 @@ type root_block_device, dev_type;
|
|||
type frp_block_device, dev_type;
|
||||
|
||||
# System block device mounted on /system.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type system_block_device, dev_type;
|
||||
|
||||
# Recovery block device.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type recovery_block_device, dev_type;
|
||||
|
||||
# boot block device.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type boot_block_device, dev_type;
|
||||
|
||||
# Userdata block device mounted on /data.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type userdata_block_device, dev_type;
|
||||
|
||||
# Cache block device mounted on /cache.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type cache_block_device, dev_type;
|
||||
|
||||
# Block device for any swap partition.
|
||||
type swap_block_device, dev_type;
|
||||
|
||||
# Metadata block device used for encryption metadata.
|
||||
# Assign this type to the partition specified by the encryptable=
|
||||
# mount option in your fstab file in the entry for userdata.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Metadata block device mounted on /metadata, used for encryption metadata and
|
||||
# various other purposes.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type metadata_block_device, dev_type;
|
||||
|
||||
# The 'misc' partition used by recovery and A/B.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type misc_block_device, dev_type;
|
||||
|
||||
# 'super' partition to be used for logical partitioning.
|
||||
|
|
|
|||
|
|
@ -144,7 +144,7 @@ allow init configfs:{ file lnk_file } create_file_perms;
|
|||
# /metadata
|
||||
allow init metadata_file:dir mounton;
|
||||
|
||||
# Use tmpfs as /data, used for booting when /data is encrypted
|
||||
# Run restorecon on /dev
|
||||
allow init tmpfs:dir relabelfrom;
|
||||
|
||||
# Create directories under /dev/cpuctl after chowning it to system.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# vdc spawned from init for the following services:
|
||||
# defaultcrypto
|
||||
# encrypt
|
||||
# vdc is a helper program for making Binder calls to vold. It is spawned from
|
||||
# init for various reasons, such as initializing file-based encryption and
|
||||
# metadata encryption, and managing userdata checkpointing.
|
||||
#
|
||||
# We also transition into this domain from dumpstate, when
|
||||
# collecting bug reports.
|
||||
|
|
|
|||
|
|
@ -168,17 +168,9 @@ allow vold fsck_exec:file { r_file_perms execute };
|
|||
allow vold fscklogs:dir rw_dir_perms;
|
||||
allow vold fscklogs:file create_file_perms;
|
||||
|
||||
#
|
||||
# Rules to support encrypted fs support.
|
||||
#
|
||||
|
||||
# Unmount and mount the fs.
|
||||
# Mount and unmount filesystems.
|
||||
allow vold labeledfs:filesystem { mount unmount remount };
|
||||
|
||||
# Access /efs/userdata_footer.
|
||||
# XXX Split into a separate type?
|
||||
allow vold efs_file:file rw_file_perms;
|
||||
|
||||
# Create and mount on /data/tmp_mnt and management of expansion mounts
|
||||
allow vold {
|
||||
system_data_file
|
||||
|
|
@ -210,7 +202,7 @@ allow vold unlabeled:file { r_file_perms setattr relabelfrom };
|
|||
allow vold fusectlfs:file rw_file_perms;
|
||||
allow vold fusectlfs:dir rw_dir_perms;
|
||||
|
||||
# Handle wake locks (used for device encryption)
|
||||
# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
|
||||
wakelock_use(vold)
|
||||
|
||||
# Allow vold to publish a binder service and make binder calls.
|
||||
|
|
@ -272,7 +264,7 @@ allow vold app_fusefs:filesystem { mount unmount };
|
|||
allow vold app_fuse_file:dir rw_dir_perms;
|
||||
allow vold app_fuse_file:file { read write open getattr append };
|
||||
|
||||
# MoveTask.cpp executes cp and rm
|
||||
# MoveStorage.cpp executes cp and rm
|
||||
allow vold toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Prepare profile dir for users.
|
||||
|
|
|
|||
Loading…
Reference in a new issue