Allow system_server to measure emulated stats.

Historically we pushed all system_server SD card interactions through DefaultContainerService to avoid holding open FDs, but it's safe to measure disk usage for internal emulated storage when looking directly at /data/media, since there is no risk of unsafe ejection. These rule changes give us just enough access to measure statistics. avc: denied { getattr } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1 avc: denied { open } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1 avc: denied { read } for name="0" dev="sda35" ino=589827 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 Test: builds, boots, and access allowed Bug: 33298975 Change-Id: I9748608a5c1169d542e763c5a8f79c4f26f7a382

Allow system_server to measure emulated stats.
Historically we pushed all system_server SD card interactions through DefaultContainerService to avoid holding open FDs, but it's safe to measure disk usage for internal emulated storage when looking directly at /data/media, since there is no risk of unsafe ejection. These rule changes give us just enough access to measure statistics. avc: denied { getattr } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1 avc: denied { open } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1 avc: denied { read } for name="0" dev="sda35" ino=589827 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 Test: builds, boots, and access allowed Bug: 33298975 Change-Id: I9748608a5c1169d542e763c5a8f79c4f26f7a382
17c675b3 · Jeff Sharkey · 685ef6b8 · 17c675b3
Commit 17c675b3 authored 8 years ago by Jeff Sharkey
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -321,7 +321,11 @@ allow system_server system_app_data_file:file create_file_perms;
 # Types extracted from seapp_contexts type= fields.
 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };

+# Access to /data/media for measuring disk usage.
+allow system_server media_rw_data_file:dir { search getattr open read };
+
 # Receive and use open /data/media files passed over binder IPC.
+# Also used for measuring disk usage.
 allow system_server media_rw_data_file:file { getattr read write append };

 # Relabel apk files.
@@ -541,11 +545,6 @@ allow system_server adbd:unix_stream_socket connectto;
 allow system_server adbd:fd use;
 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };

-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow system_server media_rw_data_file:dir search;
-
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;