Merge "Only restorecon CE storage after unlocked." into nyc-mr1-dev
diff --git a/init/builtins.cpp b/init/builtins.cpp
index 5631877..70f9194 100644
--- a/init/builtins.cpp
+++ b/init/builtins.cpp
@@ -875,8 +875,12 @@
int ret = 0;
for (auto it = std::next(args.begin()); it != args.end(); ++it) {
- if (restorecon_recursive(it->c_str()) < 0)
+ /* The contents of CE paths are encrypted on FBE devices until user
+ * credentials are presented (filenames inside are mangled), so we need
+ * to delay restorecon of those until vold explicitly requests it. */
+ if (restorecon_recursive_skipce(it->c_str()) < 0) {
ret = -errno;
+ }
}
return ret;
}
diff --git a/init/util.cpp b/init/util.cpp
index 683f6d8..89d3276 100644
--- a/init/util.cpp
+++ b/init/util.cpp
@@ -471,6 +471,12 @@
return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE);
}
+int restorecon_recursive_skipce(const char* pathname)
+{
+ return selinux_android_restorecon(pathname,
+ SELINUX_ANDROID_RESTORECON_RECURSE | SELINUX_ANDROID_RESTORECON_SKIPCE);
+}
+
/*
* Writes hex_len hex characters (1/2 byte) to hex from bytes.
*/
diff --git a/init/util.h b/init/util.h
index c2efb01..af4b098 100644
--- a/init/util.h
+++ b/init/util.h
@@ -63,6 +63,7 @@
int make_dir(const char *path, mode_t mode);
int restorecon(const char *pathname);
int restorecon_recursive(const char *pathname);
+int restorecon_recursive_skipce(const char *pathname);
std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len);
bool is_dir(const char* pathname);
bool expand_props(const std::string& src, std::string* dst);