From aa898dc541e05184245a2ba44729b0dbc8bd31b1 Mon Sep 17 00:00:00 2001
From: Ellen Arteca <emarteca@google.com>
Date: Mon, 20 May 2024 17:59:16 +0000
Subject: [PATCH] Modify permissions to move encryption policy assignment to
 vold_prepare_subdirs

We have moved the encryption policy assignment from vold to
vold_prepare_subdirs. This CL removes some permissions from vold
over storage areas that are no longer needed due to this change,
and adds some permissions to vold_prepare_subdirs.

Bug: 325129836
Test: atest StorageAreaTest
Change-Id: Ief2a8021ed3524018d001e20eae60f712f485d81
---
 private/vold.te                 | 17 ++++++++---------
 private/vold_prepare_subdirs.te |  9 +++++++++
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/private/vold.te b/private/vold.te
index 7716bd1c4..2c1fb8f91 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -63,16 +63,14 @@ allow vold keystore:keystore2 early_boot_ended;
 allow vold keystore:keystore2 delete_all_keys;
 
 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
-    # Allow vold to encrypt storage area directories on behalf of apps.
-    allow vold {
-        storage_area_dir
-        storage_area_app_dir
-    }:dir {
-        getattr
-        ioctl # for FS_IOC_SET_ENCRYPTION_POLICY
+    allow vold storage_area_app_dir:dir search;
+    # Allow vold to get the encryption policy and
+    # verify the ownership of storage areas
+    allow vold storage_area_dir:dir {
+        read
         open
-        read # for open(O_RDONLY) for ioctl
-        search
+        getattr
+        ioctl
     };
 ')
 
@@ -409,6 +407,7 @@ neverallowxperm {
   -vold
   -init
   -vendor_init
+  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` -vold_prepare_subdirs ')
 } data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
 
 # Only vold should ever add/remove file-based encryption keys.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 1dc00b252..44c9ea561 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -75,6 +75,15 @@ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
   type_transition vold_prepare_subdirs storage_area_app_dir:dir storage_area_dir;
 
   selinux_check_context(vold_prepare_subdirs)
+
+  allowxperm vold_prepare_subdirs storage_area_dir:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY;
+')
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+  neverallowxperm vold_prepare_subdirs {
+    data_file_type
+    -storage_area_dir
+  }:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY;
 ')
 
 # Migrate legacy labels to apex_system_server_data_file (b/217581286)