FsCrypt.cpp: Do delayed restorecon on /data/vendor_ce
When Android boots after file_contexts has changed, the boot process
walks the entire /data partition, updating any changed SELinux labels as
appropriate. However, credential encrypted ("ce") directories are
deliberately excluded from this early boot directory walk. Files within
ce directories have their filenames encrypted, and as a result, cannot
match the file_contexts entries. Only after the user has unlocked their
device are the unencrypted filenames available and a restorecon
appropriate.
Ensure that we do a post-unlock restorecon on /data/vendor_ce, like we
do for /data/system_ce and /data/misc_ce. This ensures the labels on
files within these directories are correct after the device has been
unlocked.
(cherrypicked from commit 6a3ef488e5
)
Bug: 132349934
Test: See bug 132349934 comment #12 for test procedure
Change-Id: Ifcbef5fdfb236ec6dea418efa9d965db3a3b782f
This commit is contained in:
parent
19e74b3d1f
commit
1bfc01e663
1 changed files with 1 additions and 0 deletions
|
@ -742,6 +742,7 @@ bool fscrypt_prepare_user_storage(const std::string& volume_uuid, userid_t user_
|
|||
// over these paths
|
||||
// NOTE: these paths need to be kept in sync with libselinux
|
||||
android::vold::RestoreconRecursive(system_ce_path);
|
||||
android::vold::RestoreconRecursive(vendor_ce_path);
|
||||
android::vold::RestoreconRecursive(misc_ce_path);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue