universal7580: Force restorecon for /efs

The restorecon_recursive directive in init is only applied if the
file_contexts file changed between builds, but not necessarily if any
file or folder inside /efs or /persist has changed.

The restorecon code checks whether an xattr named
"security.sehash" contains a string that matches the current
combined hashes of the SELinux context files and skips restoring labels
if there is a match, see
https://android.googlesource.com/platform/external/selinux/+/refs/tags/android-9.0.0_r35/libselinux/src/android/android_platform.c#1546

Force wiping that xattr so that restorecon always runs since it's not
very expensive (there are currently only about 100 files on /efs).

The restorecon is needed to fix issues such as wrong stock labels.

Change-Id: Ic0cd848836ee550499d9236f56ed6e939e35f01e

diff --git a/ramdisk/etc/init.baseband.rc b/ramdisk/etc/init.baseband.rc
index dcadcc32640c713a1b812dfe10097c043b2162a4..2063cc33fd11b085dedec1a4e993e007b6de132d 100644 (file)
--- a/ramdisk/etc/init.baseband.rc
+++ b/ramdisk/etc/init.baseband.rc
@@ -26,6 +26,8 @@ on property:ril.cbd.dt_revision=009
     rm /dev/mbin0
 
 on fs
+    exec u:r:vendor_toolbox:s0 -- /vendor/bin/toybox_vendor find /efs -type d \
+        -exec /vendor/bin/toybox_vendor setfattr -x security.sehash {} \;
     chown radio system /efs
     chmod 0771 /efs
     restorecon_recursive /efs

diff --git a/sepolicy/vendor_toolbox.te b/sepolicy/vendor_toolbox.te
new file mode 100644 (file)
index 0000000..371afe1
--- /dev/null
+++ b/sepolicy/vendor_toolbox.te
@@ -0,0 +1,44 @@
+type vendor_toolbox, domain;
+
+init_daemon_domain(vendor_toolbox)
+
+# For the use of /vendor/bin/toybox_vendor from vendor init.rc fragments
+domain_trans(init, vendor_toolbox_exec, vendor_toolbox)
+
+# Allow vendor_toolbox to use these capabilities
+#allow vendor_toolbox self:capability { sys_admin };
+
+# Allow vendor_toolbox to execute /vendor/bin/toybox_vendor
+allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans;
+
+# Allow vendor_toolbox to read directories in rootfs
+allow vendor_toolbox rootfs:dir r_dir_perms;
+
+# Allow vendor_toolbox to remove "security.*" xattrs from /efs
+allow vendor_toolbox {
+    app_efs_file
+    battery_efs_file
+    bluetooth_efs_file
+    efs_file
+    imei_efs_file
+    prov_efs_file
+    wifi_efs_file
+    unlabeled
+}:dir { r_dir_perms setattr };
+
+allow vendor_toolbox {
+    app_efs_file
+    baro_delta_factoryapp_efs_file
+    battery_efs_file
+    bin_nv_data_efs_file
+    bluetooth_efs_file
+    cpk_efs_file
+    efs_file
+    factorymode_factoryapp_efs_file
+    imei_efs_file
+    prov_efs_file
+    radio_factoryapp_efs_file
+    sensor_factoryapp_efs_file
+    wifi_efs_file
+    unlabeled
+}:file { r_file_perms setattr };