Revert "common: Drop custom filesystem rules"
This reverts commit 84ff049fac31718216975dbf1a61f9df1a1ce927.
Reason for revert: Needed for custom filesystem support
Change-Id: Ie7d24391f68bb854e53b78aa92d01c2c546a3089
diff --git a/common/private/file.te b/common/private/file.te
index 76521e5..b2bfa43 100644
--- a/common/private/file.te
+++ b/common/private/file.te
@@ -1 +1,2 @@
+type sdcard_posix, sdcard_type, sdcard_posix_contextmount_type, fs_type, mlstrustedobject;
type adbroot_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/common/private/file_contexts b/common/private/file_contexts
index cc2800f..a441605 100644
--- a/common/private/file_contexts
+++ b/common/private/file_contexts
@@ -1,3 +1,9 @@
+# Filesystem tools
+/system/bin/fsck\.ntfs u:object_r:fsck_exec:s0
+/system/bin/mkfs\.exfat u:object_r:mkfs_exec:s0
+/system/bin/mkfs\.f2fs u:object_r:mkfs_exec:s0
+/system/bin/mkfs\.ntfs u:object_r:mkfs_exec:s0
+
# OTA packages
/data/lineageos_updates(/.*)? u:object_r:ota_package_file:s0
diff --git a/common/private/fsck_untrusted.te b/common/private/fsck_untrusted.te
new file mode 100644
index 0000000..5d12f76
--- /dev/null
+++ b/common/private/fsck_untrusted.te
@@ -0,0 +1,2 @@
+# External storage
+allow fsck_untrusted self:capability sys_admin;
diff --git a/common/private/genfs_contexts b/common/private/genfs_contexts
index 87013ad..c629305 100644
--- a/common/private/genfs_contexts
+++ b/common/private/genfs_contexts
@@ -1 +1,5 @@
+ifelse(board_excludes_fuseblk_sepolicy, `true', ,
+genfscon fuseblk / u:object_r:vfat:s0
+)
+
genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0
diff --git a/common/private/mkfs.te b/common/private/mkfs.te
new file mode 100644
index 0000000..2c16520
--- /dev/null
+++ b/common/private/mkfs.te
@@ -0,0 +1,9 @@
+type mkfs, coredomain, domain;
+type mkfs_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mkfs)
+
+# Allow formatting userdata or cache partitions
+allow mkfs block_device:dir search;
+allow mkfs userdata_block_device:blk_file rw_file_perms;
+allow mkfs cache_block_device:blk_file rw_file_perms;
diff --git a/common/private/system_server.te b/common/private/system_server.te
index e654e59..7c917fe 100644
--- a/common/private/system_server.te
+++ b/common/private/system_server.te
@@ -1,3 +1,5 @@
+allow system_server storage_stub_file:dir getattr;
+
allow system_server adbroot_service:service_manager find;
# Use HALs
diff --git a/common/private/vold.te b/common/private/vold.te
new file mode 100644
index 0000000..915190b
--- /dev/null
+++ b/common/private/vold.te
@@ -0,0 +1,11 @@
+# NTFS-3g wants to drop permission
+allow vold self:capability { setgid setuid };
+
+# External storage
+allow vold mkfs_exec:file rx_file_perms;
+allow vold mnt_media_rw_stub_file:dir r_dir_perms;
+allow vold storage_stub_file:dir rw_dir_perms;
+
+# External EXT4/F2FS storage
+allow vold sdcard_posix:filesystem { relabelto relabelfrom };
+allow vold labeledfs:filesystem relabelfrom;
diff --git a/common/sepolicy.mk b/common/sepolicy.mk
index 1a55071..561d341 100644
--- a/common/sepolicy.mk
+++ b/common/sepolicy.mk
@@ -9,6 +9,12 @@
endif
endif
+ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true)
+ifeq ($(TARGET_HAS_FUSEBLK_SEPOLICY_ON_VENDOR),true)
+BOARD_SEPOLICY_M4DEFS += board_excludes_fuseblk_sepolicy=true
+endif
+endif
+
SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \
device/lineage/sepolicy/common/public