Is their a way to change the ending inode context, the one under sdcard? vfat only supports one contexts correct?
Just to verify, it looks like it is doing this, each inode's context is checked against the policy along the way, correct? On Thu, Jan 3, 2013 at 1:02 PM, Stephen Smalley <[email protected]> wrote: > On 01/03/2013 03:17 PM, William Roberts wrote: >> >> Stephen and company, >> >> In zygote, on special applications we use the unshare syscall followed >> by a bind mount /mnt_1/sdcard_1 over /mnt/sdcard. /mnt_1/sdcard_1 is >> an ecryptfs mount. That ecryptfs mount than uses a special folder on >> the existing sdcard. The issue were having, is that we want the target >> context to be the one on the ecryptfs and NOT the underlying sdcard's >> context? is this possible with the existing limitations of vfat file >> system? >> >> /mnt/sdcard/.sdcontainer_1 /mnt_1/sdcard_1 ecryptfs >> >> rw,context=u:object_r:container_app_sdcard_file:s0:c1,nodev,relatime,ecryptfs_sig=b8d52aaa4ae246b2,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough >> 0 0 > > > The target context of what? There are two inodes for each of the encrypted > files: the ecryptfs inode under /mnt_1/sdcard_1 by which you can access the > plaintext and the underlying (vfat in your case) inode under > /mnt/sdcard/.sdcontainer_1 that stores the encrypted file. The former will > have the security context assigned to the ecryptfs mount by your context= > mount option, while the latter will have the security context assigned to > the vfat mount when you mounted it (either via a context= mount option or > the policy default for vfat). The two inodes won't have the same security > context, nor is that what you likely want. > > > -- Respectfully, William C Roberts -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
