From 000cafc70120e26a1c0918d5cedff1a646521c11 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Fri, 30 Mar 2018 12:22:54 -0600
Subject: [PATCH] Add exFAT support; unify behind "sdcard_type".

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
---
 private/app_neverallows.te          |  4 +---
 private/compat/26.0/26.0.ignore.cil |  1 +
 private/compat/27.0/27.0.ignore.cil |  1 +
 private/genfs_contexts              |  1 +
 private/platform_app.te             |  4 ++--
 public/app.te                       | 15 ++++-----------
 public/file.te                      |  1 +
 public/hal_configstore.te           |  9 ++++++++-
 public/hal_telephony.te             |  1 -
 9 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 4b79060e3..3bdbfb181 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -93,9 +93,7 @@ neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_fil
 # application un-installation.
 neverallow { all_untrusted_apps -mediaprovider } {
   fs_type
-  -fuse                     # sdcard
-  -sdcardfs                 # sdcard
-  -vfat
+  -sdcard_type
   file_type
   -app_data_file            # The apps sandbox itself
   -media_rw_data_file       # Internal storage. Known that apps can
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ab58ddaa2..68d6b409e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -19,6 +19,7 @@
     crossprofileapps_service
     e2fs
     e2fs_exec
+    exfat
     exported_bluetooth_prop
     exported_config_prop
     exported_dalvik_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 493ac312e..1eaf22a7d 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -15,6 +15,7 @@
     bpfloader_exec
     cgroup_bpf
     crossprofileapps_service
+    exfat
     exported2_config_prop
     exported2_default_prop
     exported2_radio_prop
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f2b969902..1d321d81b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -238,6 +238,7 @@ genfscon debugfs /tracing/events/lowmemorykiller/
 
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
+genfscon exfat / u:object_r:exfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 80b20e145..f60597a7e 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -34,8 +34,8 @@ allow platform_app cache_file:file create_file_perms;
 # Direct access to vold-mounted storage under /mnt/media_rw
 # This is a performance optimization that allows platform apps to bypass the FUSE layer
 allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+allow platform_app sdcard_type:file create_file_perms;
 
 # com.android.systemui
 allow platform_app rootfs:dir getattr;
diff --git a/public/app.te b/public/app.te
index cc4d285f8..b5e77c15c 100644
--- a/public/app.te
+++ b/public/app.te
@@ -250,19 +250,12 @@ allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
 allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
-
-# Access OBBs (vfat images) mounted by vold (b/17633509)
-# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
 
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
diff --git a/public/file.te b/public/file.te
index c10058ea1..5a5ee80ba 100644
--- a/public/file.te
+++ b/public/file.te
@@ -108,6 +108,7 @@ type mqueue, fs_type;
 type fuse, sdcard_type, fs_type, mlstrustedobject;
 type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
+type exfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index d5f2ef6fe..c8051e142 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -49,7 +49,14 @@ neverallow hal_configstore_server {
 }:{ file fifo_file sock_file } *;
 
 # Should never need sdcard access
-neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
+neverallow hal_configstore_server {
+    sdcard_type
+    fuse sdcardfs vfat exfat        # manual expansion for completeness
+}:dir ~getattr;
+neverallow hal_configstore_server {
+    sdcard_type
+    fuse sdcardfs vfat exfat        # manual expansion for completeness
+}:file *;
 
 # Do not permit access to service_manager and vndservice_manager
 neverallow hal_configstore_server *:service_manager *;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 31859aa51..5f8cc41ca 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -21,7 +21,6 @@ allow hal_telephony_server efs_file:file create_file_perms;
 allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
 allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
 allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
-allow hal_telephony_server sdcard_type:dir r_dir_perms;
 
 # property service
 set_prop(hal_telephony_server, radio_prop)
-- 
GitLab