From 02bf4aad9f2ba99cc4e4c10a8d97364c9ed61e13 Mon Sep 17 00:00:00 2001
From: Daniel Rosenberg <drosen@google.com>
Date: Mon, 12 Dec 2016 11:51:38 -0800
Subject: [PATCH] isolated_app.te: Give permissions for using sdcardfs

Sdcardfs does not use a userspace daemon, so the secontext
is currently the caller's when accessing files. This can be
removed if sdcardfs is modified to change the secontext before
calling into the lower filesystem.

Bug: 32735101
Test: Run any app that falls under isolated_app.
Test: See bug for example
Change-Id: I9433aa0f14ff0d5a518249079e07f57e55b09bcf
---
 public/isolated_app.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/public/isolated_app.te b/public/isolated_app.te
index f2216ee9d..fc9aba80e 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -30,8 +30,10 @@ allow isolated_app self:process ptrace;
 # neverallow rules below.
 # TODO: consider removing write/append. We want to limit isolated_apps
 # ability to mutate files of any type.
-allow isolated_app sdcard_type:file { read write append getattr lock };
-auditallow isolated_app sdcard_type:file { write append };
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
 
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the
-- 
GitLab