commit 7a9dd95cbc969fa21dfe4c1bbcac3315e47d81a4
author Jeff Sharkey <jsharkey@android.com> Tue Jan 12 16:52:16 2016 -0700
committer Jeff Sharkey <jsharkey@android.com> Fri Jan 15 14:07:12 2016 -0700
tree c6d8af90052a714bb9ca51a1b85f11dc3afdcada
parent b025f3efc03a8b11088d494332a80bd460f68955

Offer to enforce "locked" state using SELinux.

Bug: 26466827
Change-Id: Id5f05298c2cb5f3cf288df37ddf0a196ca49949b

Ext4Crypt.cpp

diff --git a/Ext4Crypt.cpp b/Ext4Crypt.cpp
index a37812b..4eb7c3e 100644
--- a/Ext4Crypt.cpp
+++ b/Ext4Crypt.cpp
@@ -32,6 +32,7 @@
 #include <fcntl.h>
 #include <cutils/properties.h>
 #include <openssl/sha.h>
+#include <selinux/android.h>
 
 #include <private/android_filesystem_config.h>
 
@@ -42,6 +43,8 @@
 
 #define LOG_TAG "Ext4Crypt"
 
+#define EMULATED_USES_SELINUX 0
+
 #include <cutils/fs.h>
 #include <cutils/log.h>
 #include <cutils/klog.h>
@@ -712,6 +715,34 @@
     return 0;
 }
 
+static int emulated_lock(const std::string& path) {
+    if (chmod(path.c_str(), 0000) != 0) {
+        PLOG(ERROR) << "Failed to chmod " << path;
+        return -1;
+    }
+#if EMULATED_USES_SELINUX
+    if (setfilecon(path.c_str(), "u:object_r:storage_stub_file:s0") != 0) {
+        PLOG(WARNING) << "Failed to setfilecon " << path;
+        return -1;
+    }
+#endif
+    return 0;
+}
+
+static int emulated_unlock(const std::string& path, mode_t mode) {
+    if (chmod(path.c_str(), mode) != 0) {
+        PLOG(ERROR) << "Failed to chmod " << path;
+        return -1;
+    }
+#if EMULATED_USES_SELINUX
+    if (selinux_android_restorecon(path.c_str(), SELINUX_ANDROID_RESTORECON_FORCE) != 0) {
+        PLOG(WARNING) << "Failed to restorecon " << path;
+        return -1;
+    }
+#endif
+    return 0;
+}
+
 int e4crypt_unlock_user_key(userid_t user_id, const char* token) {
     if (e4crypt_is_native()) {
         auto user_key = e4crypt_get_key(get_key_path(DATA_MNT_POINT, user_id), false, false);
@@ -726,10 +757,10 @@
         // When in emulation mode, we just use chmod. However, we also
         // unlock directories when not in emulation mode, to bring devices
         // back into a known-good state.
-        if (chmod(android::vold::BuildDataSystemCePath(user_id).c_str(), 0771) ||
-                chmod(android::vold::BuildDataMediaPath(nullptr, user_id).c_str(), 0770) ||
-                chmod(android::vold::BuildDataUserPath(nullptr, user_id).c_str(), 0771)) {
-            PLOG(ERROR) << "Failed to unlock user " << user_id;
+        if (emulated_unlock(android::vold::BuildDataSystemCePath(user_id), 0771) ||
+                emulated_unlock(android::vold::BuildDataMediaPath(nullptr, user_id), 0770) ||
+                emulated_unlock(android::vold::BuildDataUserPath(nullptr, user_id), 0771)) {
+            LOG(ERROR) << "Failed to unlock user " << user_id;
             return -1;
         }
     }
@@ -742,9 +773,9 @@
         // TODO: remove from kernel keyring
     } else if (e4crypt_is_emulated()) {
         // When in emulation mode, we just use chmod
-        if (chmod(android::vold::BuildDataSystemCePath(user_id).c_str(), 0000) ||
-                chmod(android::vold::BuildDataMediaPath(nullptr, user_id).c_str(), 0000) ||
-                chmod(android::vold::BuildDataUserPath(nullptr, user_id).c_str(), 0000)) {
+        if (emulated_lock(android::vold::BuildDataSystemCePath(user_id)) ||
+                emulated_lock(android::vold::BuildDataMediaPath(nullptr, user_id)) ||
+                emulated_lock(android::vold::BuildDataUserPath(nullptr, user_id))) {
             PLOG(ERROR) << "Failed to lock user " << user_id;
             return -1;
         }