From 47bd7300a522fb9c7e233b6d040533ad16708a0e Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Mon, 8 Sep 2014 13:11:01 -0700
Subject: [PATCH] Add support for factory reset protection.

Address the following denials:
<12>[  417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[  417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53
---
 device.te        | 4 ++--
 domain.te        | 2 ++
 system_server.te | 6 +++---
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/device.te b/device.te
index 42d15e3bb..94813c20e 100644
--- a/device.te
+++ b/device.te
@@ -65,5 +65,5 @@ type rpmsg_device, dev_type;
 # Partition layout block device
 type root_block_device, dev_type;
 
-# Persistent data block device
-type persistent_data_block_device, dev_type;
+# factory reset protection block device
+type frp_block_device, dev_type;
diff --git a/domain.te b/domain.te
index ba4c65ac0..74aa9c5e5 100644
--- a/domain.te
+++ b/domain.te
@@ -307,3 +307,5 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set
 # New service_types are defined in service.te and new mappings
 # from service name to service_type are defined in service_contexts.
 neverallow domain default_android_service:service_manager add;
+
+neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
diff --git a/system_server.te b/system_server.te
index de0408827..e55a43551 100644
--- a/system_server.te
+++ b/system_server.te
@@ -382,10 +382,10 @@ allow system_server keystore:keystore_key {
 	password_uid
 };
 
-# Allow system server to search and write to the persistent data block device
-# This block device does not get wiped in a factory reset.
-allow system_server persistent_data_block_device:blk_file rw_file_perms;
+# Allow system server to search and write to the persistent factory reset
+# protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;
+allow system_server frp_block_device:blk_file rw_file_perms;
 
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };
-- 
GitLab