From 28b26bcf42e12add8a3f431555ea9c1005216357 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 27 Aug 2014 12:13:28 -0700
Subject: [PATCH] support kernel writes to external SDcards

The kernel, when it creates a loop block device, starts a new
kernel thread "loop0" (drivers/block/loop.c). This kernel thread,
which performs writes on behalf of other processes, needs read/write
privileges to the sdcard. Allow it.

Steps to reproduce:
0) Get device with external, removable sdcard
1) Run: "adb install -s foo.apk"

Expected:

  APK installs successfully.

Actual:

  APK fails to install. Error message:

    Vold  E  Failed to write superblock (I/O error)
    loop0  W  type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
    PackageHelper  E  Failed to create secure container smdl1645334795.tmp
    DefContainer  E  Failed to create container smdl1645334795.tmp

Bug: 17158723

(cherry picked from commit 4c6b13508d1786a3a835ba5427f37e963c2c7506)

Change-Id: Iea727ac7958fc31d85a037ac79badbe9c85693bd
---
 kernel.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel.te b/kernel.te
index b8a8cf28b..d5a75b4d6 100644
--- a/kernel.te
+++ b/kernel.te
@@ -34,8 +34,9 @@ dontaudit kernel self:security setenforce;
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;
 
-# MTP sync
-allow kernel fuse:file { read write };
+# MTP sync (b/15835289)
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel sdcard_type:file { read write };
 
 ###
 ### neverallow rules
-- 
GitLab