On 01/03/2013 03:17 PM, William Roberts wrote:
Stephen and company,
In zygote, on special applications we use the unshare syscall followed
by a bind mount /mnt_1/sdcard_1 over /mnt/sdcard. /mnt_1/sdcard_1 is
an ecryptfs mount. That ecryptfs mount than uses a special folder on
the existing sdcard. The issue were having, is that we want the target
context to be the one on the ecryptfs and NOT the underlying sdcard's
context? is this possible with the existing limitations of vfat file
system?
/mnt/sdcard/.sdcontainer_1 /mnt_1/sdcard_1 ecryptfs
rw,context=u:object_r:container_app_sdcard_file:s0:c1,nodev,relatime,ecryptfs_sig=b8d52aaa4ae246b2,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough
0 0
The target context of what? There are two inodes for each of the
encrypted files: the ecryptfs inode under /mnt_1/sdcard_1 by which you
can access the plaintext and the underlying (vfat in your case) inode
under /mnt/sdcard/.sdcontainer_1 that stores the encrypted file. The
former will have the security context assigned to the ecryptfs mount by
your context= mount option, while the latter will have the security
context assigned to the vfat mount when you mounted it (either via a
context= mount option or the policy default for vfat). The two inodes
won't have the same security context, nor is that what you likely want.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
