From fcfc13ac6f2893ac055a58459aeb704b2500607c Mon Sep 17 00:00:00 2001
From: Keith Mok <kmok@cyngn.com>
Date: Tue, 15 Dec 2015 13:24:34 -0800
Subject: [PATCH] sepolicy: Add domain for mkfs binaries

The init binary must transition to another domain when calling out to
executables. Create the mkfs domain for mkfs.f2fs such that init can
transition to it when formatting userdata/cache partitions if the
"formattable" flag is set.

Change-Id: I1046782386d171a59b1a3c5441ed265dc0824977
---
 sepolicy/file_contexts | 3 +++
 sepolicy/mkfs.te       | 9 +++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 sepolicy/mkfs.te

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 76114782..e5ae776f 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -14,6 +14,9 @@
 /system/etc/init.d/90userinit           u:object_r:userinit_exec:s0
 /data/local/userinit.sh                 u:object_r:userinit_data_exec:s0
 
+# For F2FS partitions marked "formattable"
+/system/bin/mkfs\.f2fs    u:object_r:mkfs_exec:s0
+
 # For minivold in recovery
 /sbin/minivold            u:object_r:vold_exec:s0
 
diff --git a/sepolicy/mkfs.te b/sepolicy/mkfs.te
new file mode 100644
index 00000000..fe7c61bb
--- /dev/null
+++ b/sepolicy/mkfs.te
@@ -0,0 +1,9 @@
+type mkfs, domain;
+type mkfs_exec, exec_type, file_type;
+
+init_daemon_domain(mkfs)
+
+# Allow formatting userdata or cache partitions
+allow mkfs block_device:dir search;
+allow mkfs userdata_block_device:blk_file rw_file_perms;
+allow mkfs cache_block_device:blk_file rw_file_perms;