Merge "Allow access to the metadata partition for metadata encryption."

am: 68e31786f0

Change-Id: I8f64eb7829dac3433cb905b76c00c9f716987281
This commit is contained in:
Paul Crowley 2018-01-22 19:53:04 +00:00 committed by android-build-merger
commit b263aa0093
4 changed files with 13 additions and 3 deletions

3
private/e2fs.te Normal file
View file

@ -0,0 +1,3 @@
allow e2fs devpts:chr_file { read write };
allow e2fs metadata_block_device:blk_file rw_file_perms;

View file

@ -1,3 +1,5 @@
typeattribute fsck coredomain;
init_daemon_domain(fsck)
allow fsck metadata_block_device:blk_file rw_file_perms;

View file

@ -556,8 +556,14 @@ neverallow {
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
# be used by other domains.
neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
{ append link rename write open read ioctl lock };
neverallow {
domain
-init
-recovery
-vold
-e2fs
-fsck
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery and update_engine can write to system partition(s).
neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };

View file

@ -44,7 +44,6 @@ allow fsck rootfs:dir r_dir_perms;
neverallow fsck {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device