Skip to content
Snippets Groups Projects
Commit 5287d9a8 authored by Paul Lawrence's avatar Paul Lawrence
Browse files

Securely encrypt the master key 

This change removes the link, but moves key management to
vold, so we need to adjust permissions alternately.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/144586/
  https://android-review.googlesource.com/#/c/144663/
  https://android-review.googlesource.com/#/c/144672/
  https://android-review.googlesource.com/#/c/144673/

Bug: 18151196
Change-Id: I58d3200ae0837ccdf1b8d0d6717566a677974cf1
parent e05487ac
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
domain.te
+ 1
0
View file @ 5287d9a8
...@@ -93,6 +93,7 @@ allow domain urandom_device:chr_file rw_file_perms; ...@@ -93,6 +93,7 @@ allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms; allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:file r_file_perms; allow domain properties_device:file r_file_perms;
allow domain init:key search; allow domain init:key search;
allow domain vold:key search;
# logd access # logd access
write_logd(domain) write_logd(domain)
......
init.te
+ 1
5
View file @ 5287d9a8
...@@ -257,11 +257,7 @@ allow init pstorefs:file r_file_perms; ...@@ -257,11 +257,7 @@ allow init pstorefs:file r_file_perms;
# linux keyring configuration # linux keyring configuration
allow init init:key { write search setattr }; allow init init:key { write search setattr };
# Allow init to link temp fs to unencrypted data on userdata # Allow init to create /data/unencrypted
allow init tmpfs:lnk_file { create read getattr relabelfrom };
# Allow init to manipulate /data/unencrypted
allow init unencrypted_data_file:{ file lnk_file } create_file_perms;
allow init unencrypted_data_file:dir create_dir_perms; allow init unencrypted_data_file:dir create_dir_perms;
unix_socket_connect(init, vold, vold) unix_socket_connect(init, vold, vold)
......
vold.te
+ 6
2
View file @ 5287d9a8
...@@ -143,14 +143,18 @@ allow vold userdata_block_device:blk_file rw_file_perms; ...@@ -143,14 +143,18 @@ allow vold userdata_block_device:blk_file rw_file_perms;
# Access metadata block device used for encryption meta-data. # Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms; allow vold metadata_block_device:blk_file rw_file_perms;
# Allow init to manipulate /data/unencrypted # Allow vold to manipulate /data/unencrypted
allow vold unencrypted_data_file:{ file lnk_file } create_file_perms; allow vold unencrypted_data_file:{ file } create_file_perms;
allow vold unencrypted_data_file:dir create_dir_perms; allow vold unencrypted_data_file:dir create_dir_perms;
# Give vold a place where only vold can store files; everyone else is off limits # Give vold a place where only vold can store files; everyone else is off limits
allow vold vold_data_file:dir rw_dir_perms; allow vold vold_data_file:dir rw_dir_perms;
allow vold vold_data_file:file create_file_perms; allow vold vold_data_file:file create_file_perms;
# linux keyring configuration
allow vold init:key { write search setattr };
allow vold vold:key { write search setattr };
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto }; neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *; neverallow { domain -vold -init } vold_data_file:dir *;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment