From 374b2a198a0b2872e32f4579337796a539fd168d Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 8 Jul 2014 14:45:09 -0400
Subject: [PATCH] Rename sdcard_internal/external types.

Rename sdcard_internal/external types to fuse and vfat
respectively to make it clear that they are assigned to any
fuse or vfat filesystem by default (absent a context= mount option)
and do not necessarily represent the SDcard.

The sdcard_type attribute is still assigned to both types and
can still be used in allow rules to permit access to either the
internal or external SDcard.

Define type aliases for the old names to preserve compatibility
on policy reload and for device-specific policies that may not yet
be updated.

Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te         | 4 ++--
 file.te        | 6 ++++--
 genfs_contexts | 4 ++--
 kernel.te      | 2 +-
 recovery.te    | 9 +++------
 5 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/app.te b/app.te
index 5b8fde6fc..2d6416f3e 100644
--- a/app.te
+++ b/app.te
@@ -116,8 +116,8 @@ allow appdomain radio_data_file:file { read write getattr };
 allow untrusted_app system_app_data_file:file { read write getattr };
 
 # Access SDcard via the fuse mount.
-allow appdomain sdcard_internal:dir create_dir_perms;
-allow appdomain sdcard_internal:file create_file_perms;
+allow appdomain fuse:dir create_dir_perms;
+allow appdomain fuse:file create_file_perms;
 
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
diff --git a/file.te b/file.te
index eb7cb9047..99c383975 100644
--- a/file.te
+++ b/file.te
@@ -28,8 +28,10 @@ type devpts, fs_type, mlstrustedobject;
 type tmpfs, fs_type;
 type shm, fs_type;
 type mqueue, fs_type;
-type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
-type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
+type fuse, sdcard_type, fs_type, mlstrustedobject;
+type vfat, sdcard_type, fs_type, mlstrustedobject;
+typealias fuse alias sdcard_internal;
+typealias vfat alias sdcard_external;
 type debugfs, fs_type, mlstrustedobject;
 type pstorefs, fs_type;
 type functionfs, fs_type;
diff --git a/genfs_contexts b/genfs_contexts
index a01883347..ab4e045a2 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -25,9 +25,9 @@ genfscon cgroup / u:object_r:cgroup:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:sdcard_external:s0
+genfscon vfat / u:object_r:vfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:sdcard_internal:s0
+genfscon fuse / u:object_r:fuse:s0
 genfscon pstore / u:object_r:pstorefs:s0
 genfscon functionfs / u:object_r:functionfs:s0
 genfscon usbfs / u:object_r:usbfs:s0
diff --git a/kernel.te b/kernel.te
index 422edc9e5..b8a8cf28b 100644
--- a/kernel.te
+++ b/kernel.te
@@ -35,7 +35,7 @@ dontaudit kernel self:security setenforce;
 allow kernel self:security setcheckreqprot;
 
 # MTP sync
-allow kernel sdcard_internal:file { read write };
+allow kernel fuse:file { read write };
 
 ###
 ### neverallow rules
diff --git a/recovery.te b/recovery.te
index 28c7f80ad..66aa3dfc0 100644
--- a/recovery.te
+++ b/recovery.te
@@ -87,13 +87,10 @@ recovery_only(`
   # Use setfscreatecon() to label files for OTA updates.
   allow recovery self:process setfscreate;
 
-  # Allow recovery to create a fuse filesystem, and read files from
-  # it.  (Note that all files on fuse filesystems are labeled
-  # "sdcard_internal"; the simulated SD card is the only other user of
-  # fuse.)
+  # Allow recovery to create a fuse filesystem, and read files from it.
   allow recovery fuse_device:chr_file rw_file_perms;
-  allow recovery sdcard_internal:dir r_dir_perms;
-  allow recovery sdcard_internal:file r_file_perms;
+  allow recovery fuse:dir r_dir_perms;
+  allow recovery fuse:file r_file_perms;
 
   wakelock_use(recovery)
 
-- 
GitLab