Merge \\"Only restorecon CE storage after unlocked.\\" into nyc-mr1-dev am: 96f387e8c0
am: 91404d9481
Change-Id: I909f1697562f390b58cf08cc9b17e566cde7d73c
diff --git a/init/builtins.cpp b/init/builtins.cpp
index 38b44b7..b227d40 100644
--- a/init/builtins.cpp
+++ b/init/builtins.cpp
@@ -861,8 +861,12 @@
int ret = 0;
for (auto it = std::next(args.begin()); it != args.end(); ++it) {
- if (restorecon_recursive(it->c_str()) < 0)
+ /* The contents of CE paths are encrypted on FBE devices until user
+ * credentials are presented (filenames inside are mangled), so we need
+ * to delay restorecon of those until vold explicitly requests it. */
+ if (restorecon_recursive_skipce(it->c_str()) < 0) {
ret = -errno;
+ }
}
return ret;
}
diff --git a/init/util.cpp b/init/util.cpp
index 6c1923f..80b2325 100644
--- a/init/util.cpp
+++ b/init/util.cpp
@@ -362,6 +362,12 @@
return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE);
}
+int restorecon_recursive_skipce(const char* pathname)
+{
+ return selinux_android_restorecon(pathname,
+ SELINUX_ANDROID_RESTORECON_RECURSE | SELINUX_ANDROID_RESTORECON_SKIPCE);
+}
+
/*
* Writes hex_len hex characters (1/2 byte) to hex from bytes.
*/
diff --git a/init/util.h b/init/util.h
index 9d522cc..651e609 100644
--- a/init/util.h
+++ b/init/util.h
@@ -59,6 +59,7 @@
int make_dir(const char *path, mode_t mode);
int restorecon(const char *pathname);
int restorecon_recursive(const char *pathname);
+int restorecon_recursive_skipce(const char *pathname);
std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len);
bool is_dir(const char* pathname);
bool expand_props(const std::string& src, std::string* dst);