From cedee697c3683ac267c0933200e6727f0910d2e6 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 30 Sep 2014 13:09:55 -0400
Subject: [PATCH] Fix fsck-related denials with encrypted userdata.

Allow error reporting via the pty supplied by init.
Allow vold to invoke fsck for checking volumes.

Addresses denials such as:
avc:  denied  { ioctl } for  pid=133 comm="e2fsck" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file

avc: denied { execute } for pid=201 comm="vold" name="e2fsck" dev="mmcblk0p25" ino=98 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file

These denials show up if you have encrypted userdata.

Change-Id: Idc8e6f83a0751f17cde0ee5e4b1fbd6efe164e4c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 fsck.te | 2 +-
 vold.te | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/fsck.te b/fsck.te
index 57664770b..d25517532 100644
--- a/fsck.te
+++ b/fsck.te
@@ -10,7 +10,7 @@ init_daemon_domain(fsck)
 allow fsck tmpfs:chr_file { read write ioctl };
 
 # Inherit and use pty created by android_fork_execvp_ext().
-allow fsck devpts:chr_file { read write };
+allow fsck devpts:chr_file { read write ioctl };
 
 # Run e2fsck on block devices.
 # TODO:  Assign userdata and cache block device types to the corresponding
diff --git a/vold.te b/vold.te
index 620089602..ef3924b34 100644
--- a/vold.te
+++ b/vold.te
@@ -38,6 +38,9 @@ allow vold sysfs:file rw_file_perms;
 
 write_klog(vold)
 
+# Run fsck.
+allow vold fsck_exec:file rx_file_perms;
+
 # Log fsck results
 allow vold fscklogs:dir rw_dir_perms;
 allow vold fscklogs:file create_file_perms;