cryptfs: run e2fsck/fsck.f2fs in fsck domain
e2fsck and fsck.f2fs must run in the fsck domain. Add call to setexeccon() to tell selinux to run in the fsck domain on exec. Addresses: avc: denied { execute_no_trans } for path="/system/bin/e2fsck" dev="mmcblk0p41" ino=241 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file Bug: 26872236 Change-Id: Ib2a583aeefc667f8aa67532e0ac0ff9619b65461
This commit is contained in:
parent
1ae498e0d4
commit
df72575862
4 changed files with 66 additions and 0 deletions
|
@ -27,6 +27,7 @@ common_src_files := \
|
||||||
MoveTask.cpp \
|
MoveTask.cpp \
|
||||||
Benchmark.cpp \
|
Benchmark.cpp \
|
||||||
TrimTask.cpp \
|
TrimTask.cpp \
|
||||||
|
secontext.cpp \
|
||||||
|
|
||||||
common_c_includes := \
|
common_c_includes := \
|
||||||
system/extras/ext4_utils \
|
system/extras/ext4_utils \
|
||||||
|
|
18
cryptfs.c
18
cryptfs.c
|
@ -43,7 +43,9 @@
|
||||||
#include <fs_mgr.h>
|
#include <fs_mgr.h>
|
||||||
#include <time.h>
|
#include <time.h>
|
||||||
#include <math.h>
|
#include <math.h>
|
||||||
|
#include <selinux/selinux.h>
|
||||||
#include "cryptfs.h"
|
#include "cryptfs.h"
|
||||||
|
#include "secontext.h"
|
||||||
#define LOG_TAG "Cryptfs"
|
#define LOG_TAG "Cryptfs"
|
||||||
#include "cutils/log.h"
|
#include "cutils/log.h"
|
||||||
#include "cutils/properties.h"
|
#include "cutils/properties.h"
|
||||||
|
@ -1683,6 +1685,15 @@ static int cryptfs_restart_internal(int restart_main)
|
||||||
/* If that succeeded, then mount the decrypted filesystem */
|
/* If that succeeded, then mount the decrypted filesystem */
|
||||||
int retries = RETRY_MOUNT_ATTEMPTS;
|
int retries = RETRY_MOUNT_ATTEMPTS;
|
||||||
int mount_rc;
|
int mount_rc;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
|
||||||
|
* partitions in the fsck domain.
|
||||||
|
*/
|
||||||
|
if (setexeccon(secontextFsck())){
|
||||||
|
SLOGE("Failed to setexeccon");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
|
while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
|
||||||
crypto_blkdev, 0))
|
crypto_blkdev, 0))
|
||||||
!= 0) {
|
!= 0) {
|
||||||
|
@ -1704,9 +1715,16 @@ static int cryptfs_restart_internal(int restart_main)
|
||||||
cryptfs_set_corrupt();
|
cryptfs_set_corrupt();
|
||||||
cryptfs_trigger_restart_min_framework();
|
cryptfs_trigger_restart_min_framework();
|
||||||
SLOGI("Started framework to offer wipe");
|
SLOGI("Started framework to offer wipe");
|
||||||
|
if (setexeccon(NULL)) {
|
||||||
|
SLOGE("Failed to setexeccon");
|
||||||
|
}
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if (setexeccon(NULL)) {
|
||||||
|
SLOGE("Failed to setexeccon");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
property_set("vold.decrypt", "trigger_load_persist_props");
|
property_set("vold.decrypt", "trigger_load_persist_props");
|
||||||
/* Create necessary paths on /data */
|
/* Create necessary paths on /data */
|
||||||
|
|
22
secontext.cpp
Normal file
22
secontext.cpp
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2016 The Android Open Source Project
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
#include <Utils.h>
|
||||||
|
#include "secontext.h"
|
||||||
|
|
||||||
|
security_context_t secontextFsck()
|
||||||
|
{
|
||||||
|
return android::vold::sFsckContext;
|
||||||
|
}
|
25
secontext.h
Normal file
25
secontext.h
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2016 The Android Open Source Project
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
#ifndef _SECONTEXT_H_
|
||||||
|
#define _SECONTEXT_H_
|
||||||
|
|
||||||
|
#include <selinux/selinux.h>
|
||||||
|
|
||||||
|
__BEGIN_DECLS
|
||||||
|
security_context_t secontextFsck();
|
||||||
|
__END_DECLS
|
||||||
|
|
||||||
|
#endif
|
Loading…
Reference in a new issue