From 62083414a4cc2b9fd7eb22c3bc4ffa4d9285d4be Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 24 Sep 2014 15:18:08 -0700
Subject: [PATCH] allow apps to read the contents of mounted OBBs

Apps should be able to read the contents of mounted OBBs.

Steps to reproduce:

  1) Install com.namcobandaigames.soulcaliburgp (SoulCalibur)
  2) Attempt to run the app.

Expected:
  App runs successfully.

Actual:
  App crashes. See denials below.

This can also be reproduced by running the newly introduced CTS
test in I2018b63b0236ce6b5aee4094e40473315b1948c3

Addresses the following denials:

  avc: denied { read } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { open } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { getattr } for pid=4133 comm="roidJUnitRunner" path="/mnt/obb/f73da56689d166b5389d49ad31ecbadb/test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { search } for name="/" dev="loop0" ino=1 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0

Bug: 17633509
Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa
---
 app.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app.te b/app.te
index 51fbe439f..812245297 100644
--- a/app.te
+++ b/app.te
@@ -122,6 +122,10 @@ allow untrusted_app system_app_data_file:file { read write getattr };
 allow appdomain fuse:dir create_dir_perms;
 allow appdomain fuse:file create_file_perms;
 
+# Access OBBs (vfat images) mounted by vold (b/17633509)
+allow appdomain vfat:dir r_dir_perms;
+allow appdomain vfat:file r_file_perms;
+
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #
-- 
GitLab