Allow access to the metadata partition for metadata encryption.

Bug: 63927601 Test: Enable metadata encryption in fstab on Taimen, check boot success. Change-Id: Id425c47d48f413d6ea44ed170835a52d0af39f9f

Allow access to the metadata partition for metadata encryption.
Bug: 63927601 Test: Enable metadata encryption in fstab on Taimen, check boot success. Change-Id: Id425c47d48f413d6ea44ed170835a52d0af39f9f
ab318e30 · Paul Crowley · 43ef5f21 · ab318e30 · ab318e30 · ab318e30
Commit ab318e30 authored 7 years ago by Paul Crowley
--- a/private/e2fs.te
+++ b/private/e2fs.te
+allow e2fs devpts:chr_file { read write };
+allow e2fs metadata_block_device:blk_file rw_file_perms;
--- a/private/fsck.te
+++ b/private/fsck.te
 typeattribute fsck coredomain;
 init_daemon_domain(fsck)
+allow fsck metadata_block_device:blk_file rw_file_perms;
--- a/public/domain.te
+++ b/public/domain.te
@@ -556,8 +556,14 @@ neverallow {
 # The metadata block device is set aside for device encryption and
 # verified boot metadata. It may be reset at will and should not
 # be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
+neverallow {
-  { append link rename write open read ioctl lock };
+  domain
+  -init
+  -recovery
+  -vold
+  -e2fs
+  -fsck
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };

--- a/public/fsck.te
+++ b/public/fsck.te
@@ -44,7 +44,6 @@ allow fsck rootfs:dir r_dir_perms;
 neverallow fsck {
  boot_block_device
  frp_block_device
-  metadata_block_device
  recovery_block_device
  root_block_device
  swap_block_device