DO NOT MERGE New ext4enc kernel switching from xattrs to ioctl

(cherry-picked from change f7163597) This is one of three changes to enable this functionality: https://android-review.googlesource.com/#/c/146259/ https://android-review.googlesource.com/#/c/146264/ https://android-review.googlesource.com/#/c/146265/ Bug: 18151196 Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa

DO NOT MERGE New ext4enc kernel switching from xattrs to ioctl
(cherry-picked from change f7163597) This is one of three changes to enable this functionality: https://android-review.googlesource.com/#/c/146259/ https://android-review.googlesource.com/#/c/146264/ https://android-review.googlesource.com/#/c/146265/ Bug: 18151196 Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa
35e50159 · Paul Lawrence · e2c0c9de · 35e50159 · 35e50159 · 35e50159
Commit 35e50159 authored 9 years ago by Paul Lawrence
--- a/init.te
+++ b/init.te
@@ -96,7 +96,7 @@ allow init rootfs:file relabelfrom;
 # init.<board>.rc files often include device-specific types, so
 # we just allow all file types except /system files here.
 allow init self:capability { chown fowner fsetid };
-allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr };
+allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };

--- a/keystore.te
+++ b/keystore.te
@@ -23,7 +23,7 @@ selinux_check_access(keystore)
 ### Protect ourself from others
 ###
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -keystore -init } keystore_data_file:dir *;

--- a/vold.te
+++ b/vold.te
@@ -155,7 +155,7 @@ allow vold vold_data_file:file create_file_perms;
 allow vold init:key { write search setattr };
 allow vold vold:key { write search setattr };
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
+neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;