Merge "Only restorecon CE storage after unlocked."
diff --git a/init/builtins.cpp b/init/builtins.cpp
index ebdc8c9..08b591b 100644
--- a/init/builtins.cpp
+++ b/init/builtins.cpp
@@ -915,8 +915,12 @@
int ret = 0;
for (auto it = std::next(args.begin()); it != args.end(); ++it) {
- if (restorecon_recursive(it->c_str()) < 0)
+ /* The contents of CE paths are encrypted on FBE devices until user
+ * credentials are presented (filenames inside are mangled), so we need
+ * to delay restorecon of those until vold explicitly requests it. */
+ if (restorecon_recursive_skipce(it->c_str()) < 0) {
ret = -errno;
+ }
}
return ret;
}
diff --git a/init/util.cpp b/init/util.cpp
index cb5a094..65b238b 100644
--- a/init/util.cpp
+++ b/init/util.cpp
@@ -379,6 +379,12 @@
return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE);
}
+int restorecon_recursive_skipce(const char* pathname)
+{
+ return selinux_android_restorecon(pathname,
+ SELINUX_ANDROID_RESTORECON_RECURSE | SELINUX_ANDROID_RESTORECON_SKIPCE);
+}
+
/*
* Writes hex_len hex characters (1/2 byte) to hex from bytes.
*/
diff --git a/init/util.h b/init/util.h
index dccec04..ef40748 100644
--- a/init/util.h
+++ b/init/util.h
@@ -70,6 +70,7 @@
int make_dir(const char *path, mode_t mode);
int restorecon(const char *pathname);
int restorecon_recursive(const char *pathname);
+int restorecon_recursive_skipce(const char *pathname);
std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len);
bool is_dir(const char* pathname);
bool expand_props(const std::string& src, std::string* dst);