From 17c675b327727b180e5096fb76ae6ad9411d2ddc Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Fri, 2 Dec 2016 13:13:57 -0700
Subject: [PATCH] Allow system_server to measure emulated stats.

Historically we pushed all system_server SD card interactions through
DefaultContainerService to avoid holding open FDs, but it's safe to
measure disk usage for internal emulated storage when looking
directly at /data/media, since there is no risk of unsafe ejection.

These rule changes give us just enough access to measure statistics.

avc: denied { getattr } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { open } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { read } for name="0" dev="sda35" ino=589827 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1

Test: builds, boots, and access allowed
Bug: 33298975
Change-Id: I9748608a5c1169d542e763c5a8f79c4f26f7a382
---
 public/system_server.te | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/public/system_server.te b/public/system_server.te
index f9dbc89be..d6fb0a492 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -321,7 +321,11 @@ allow system_server system_app_data_file:file create_file_perms;
 # Types extracted from seapp_contexts type= fields.
 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
 
+# Access to /data/media for measuring disk usage.
+allow system_server media_rw_data_file:dir { search getattr open read };
+
 # Receive and use open /data/media files passed over binder IPC.
+# Also used for measuring disk usage.
 allow system_server media_rw_data_file:file { getattr read write append };
 
 # Relabel apk files.
@@ -541,11 +545,6 @@ allow system_server adbd:unix_stream_socket connectto;
 allow system_server adbd:fd use;
 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
 
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow system_server media_rw_data_file:dir search;
-
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;
 
-- 
GitLab