From 2a0053b223cc1c90ce943fdef9653984bb5f70e2 Mon Sep 17 00:00:00 2001
From: Daniel Rosenberg <drosen@google.com>
Date: Tue, 6 Dec 2016 16:47:06 -0800
Subject: [PATCH] Move sdcardfs media_rw_data_file rules to app.te

Test: No media_rw_data_file related app denials
Change-Id: I1a977db09379f9a3e5bc52c597df12f52929ad19
---
 public/app.te       | 4 ++++
 public/bluetooth.te | 6 ------
 public/shell.te     | 6 ------
 3 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/public/app.te b/public/app.te
index 7452bc7ad..ffd647efd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -188,6 +188,10 @@ allow { appdomain -isolated_app } fuse:dir create_dir_perms;
 allow { appdomain -isolated_app } fuse:file create_file_perms;
 allow { appdomain -isolated_app } sdcardfs:dir create_dir_perms;
 allow { appdomain -isolated_app } sdcardfs:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app } media_rw_data_file:file create_file_perms;
 
 # Access OBBs (vfat images) mounted by vold (b/17633509)
 # File write access allowed for FDs returned through Storage Access Framework
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 332d2ab3c..738d9c206 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -58,12 +58,6 @@ unix_socket_connect(bluetooth, sap_uim, rild)
 # /data/data/com.android.shell/files/bugreports/bugreport-*.
 allow bluetooth shell_data_file:file read;
 
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow bluetooth media_rw_data_file:dir create_dir_perms;
-allow bluetooth media_rw_data_file:file create_file_perms;
-
 ###
 ### Neverallow rules
 ###
diff --git a/public/shell.te b/public/shell.te
index e1a126276..a39b39ffd 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -129,12 +129,6 @@ allow shell sysfs:dir r_dir_perms;
 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;
 
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow shell media_rw_data_file:dir create_dir_perms;
-allow shell media_rw_data_file:file create_file_perms;
-
 #
 # filesystem test for insecure chr_file's is done
 # via a host side test
-- 
GitLab