cryptfs: run e2fsck/fsck.f2fs in fsck domain
e2fsck and fsck.f2fs must run in the fsck domain. Add call to
setexeccon() to tell selinux to run in the fsck domain on exec.
Addresses:
avc: denied { execute_no_trans } for path="/system/bin/e2fsck" dev="mmcblk0p41" ino=241 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file
Bug: 26872236
Change-Id: Ib2a583aeefc667f8aa67532e0ac0ff9619b65461
diff --git a/cryptfs.c b/cryptfs.c
index f5a065a..7ca05b0 100644
--- a/cryptfs.c
+++ b/cryptfs.c
@@ -43,7 +43,9 @@
#include <fs_mgr.h>
#include <time.h>
#include <math.h>
+#include <selinux/selinux.h>
#include "cryptfs.h"
+#include "secontext.h"
#define LOG_TAG "Cryptfs"
#include "cutils/log.h"
#include "cutils/properties.h"
@@ -1683,6 +1685,15 @@
/* If that succeeded, then mount the decrypted filesystem */
int retries = RETRY_MOUNT_ATTEMPTS;
int mount_rc;
+
+ /*
+ * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
+ * partitions in the fsck domain.
+ */
+ if (setexeccon(secontextFsck())){
+ SLOGE("Failed to setexeccon");
+ return -1;
+ }
while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
crypto_blkdev, 0))
!= 0) {
@@ -1704,9 +1715,16 @@
cryptfs_set_corrupt();
cryptfs_trigger_restart_min_framework();
SLOGI("Started framework to offer wipe");
+ if (setexeccon(NULL)) {
+ SLOGE("Failed to setexeccon");
+ }
return -1;
}
}
+ if (setexeccon(NULL)) {
+ SLOGE("Failed to setexeccon");
+ return -1;
+ }
property_set("vold.decrypt", "trigger_load_persist_props");
/* Create necessary paths on /data */