Allow access to the metadata partition for metadata encryption.

Bug: 63927601 Test: Enable metadata encryption in fstab on Taimen, check boot success. Change-Id: Id425c47d48f413d6ea44ed170835a52d0af39f9f
2017-12-12 10:30:09 -08:00 · 2017-12-12 10:30:09 -08:00 · ab318e30d3
commit ab318e30d3
parent 43ef5f21f1
4 changed files with 13 additions and 3 deletions
--- a/private/e2fs.te
+++ b/private/e2fs.te
@ -0,0 +1,3 @@
+allow e2fs devpts:chr_file { read write };
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+
--- a/private/fsck.te
+++ b/private/fsck.te
@ -1,3 +1,5 @@
 typeattribute fsck coredomain;

 init_daemon_domain(fsck)
+
+allow fsck metadata_block_device:blk_file rw_file_perms;
--- a/public/domain.te
+++ b/public/domain.te
@ -556,8 +556,14 @@ neverallow {
 # The metadata block device is set aside for device encryption and
 # verified boot metadata. It may be reset at will and should not
 # be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
-  { append link rename write open read ioctl lock };
+neverallow {
+  domain
+  -init
+  -recovery
+  -vold
+  -e2fs
+  -fsck
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };

 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
--- a/public/fsck.te
+++ b/public/fsck.te
@ -44,7 +44,6 @@ allow fsck rootfs:dir r_dir_perms;
 neverallow fsck {
  boot_block_device
  frp_block_device
-  metadata_block_device
  recovery_block_device
  root_block_device
  swap_block_device