Adding e4crypt support

Add selinux rules to allow file level encryption to work Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
author: Paul Lawrence <paullawrence@google.com> 2015-03-11 15:44:14 -0700
committer: Paul Lawrence <paullawrence@google.com> 2015-03-27 14:47:30 -0700
commit: 38af1da10785c3c4056e148652d565a7187614ea (patch)
tree: 97a31ed4fa87afa514b64c04487269c1dc883f50
parent: 85ce2c706e95f96c95b3af418b7bda0bfe9918f4 (diff)
download: android_external_sepolicy-38af1da10785c3c4056e148652d565a7187614ea.tar.gz
android_external_sepolicy-38af1da10785c3c4056e148652d565a7187614ea.tar.bz2
android_external_sepolicy-38af1da10785c3c4056e148652d565a7187614ea.zip
5 files changed, 20 insertions, 0 deletions
diff --git a/domain.te b/domain.te
index 12633c8..3a84659 100644
--- a/domain.te
+++ b/domain.te
@@ -92,6 +92,7 @@ allow domain alarm_device:chr_file r_file_perms;
 allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
 allow domain properties_device:file r_file_perms;
+allow domain init:key search;
 
 # logd access
 write_logd(domain)
diff --git a/file.te b/file.te
index fe28213..fa4c482 100644
--- a/file.te
+++ b/file.te
@@ -49,6 +49,8 @@ type logcat_exec, exec_type, file_type;
 type coredump_file, file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type;
+# Unencrypted data
+type unencrypted_data_file, file_type, data_file_type;
 # /data/.layout_version or other installd-created files that
 # are created in a system_data_file directory.
 type install_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index 849cce0..406f566 100644
--- a/file_contexts
+++ b/file_contexts
@@ -188,6 +188,7 @@
 #
 /data(/.*)?		u:object_r:system_data_file:s0
 /data/.layout_version		u:object_r:install_data_file:s0
+/data/unencrypted(/.*)?         u:object_r:unencrypted_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
 /data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
 /data/security(/.*)?	u:object_r:security_file:s0
diff --git a/init.te b/init.te
index da9a722..909490d 100644
--- a/init.te
+++ b/init.te
@@ -234,6 +234,18 @@ allow init metadata_block_device:blk_file rw_file_perms;
 allow init pstorefs:dir search;
 allow init pstorefs:file r_file_perms;
 
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+# Allow init to link temp fs to unencrypted data on userdata
+allow init tmpfs:lnk_file { create read getattr relabelfrom };
+
+# Allow init to manipulate /data/unencrypted
+allow init unencrypted_data_file:{ file lnk_file } create_file_perms;
+allow init unencrypted_data_file:dir create_dir_perms;
+
+unix_socket_connect(init, vold, vold)
+
 ###
 ### neverallow rules
 ###
diff --git a/vold.te b/vold.te
index f605f8a..17ddd61 100644
--- a/vold.te
+++ b/vold.te
@@ -101,3 +101,7 @@ allow vold userdata_block_device:blk_file rw_file_perms;
 
 # Access metadata block device used for encryption meta-data.
 allow vold metadata_block_device:blk_file rw_file_perms;
+
+# Allow init to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
+allow vold unencrypted_data_file:dir create_dir_perms;
author	Paul Lawrence <paullawrence@google.com>	2015-03-11 15:44:14 -0700
committer	Paul Lawrence <paullawrence@google.com>	2015-03-27 14:47:30 -0700
commit	38af1da10785c3c4056e148652d565a7187614ea (patch)
tree	97a31ed4fa87afa514b64c04487269c1dc883f50
parent	85ce2c706e95f96c95b3af418b7bda0bfe9918f4 (diff)
download	android_external_sepolicy-38af1da10785c3c4056e148652d565a7187614ea.tar.gz android_external_sepolicy-38af1da10785c3c4056e148652d565a7187614ea.tar.bz2 android_external_sepolicy-38af1da10785c3c4056e148652d565a7187614ea.zip