Allow MediaProvider to traverse /mnt/media_rw.

As an optimization, platform components like MediaProvider may choose to shortcut past the FUSE daemon and return open file descriptors directly pointing at the underlying storage device. Now that we have a specific label for /mnt/media_rw, we need to grant search access to untrusted apps like MediaProvider. The actual access control is still managed by POSIX permissions on that directory. avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0 Bug: 21017105 Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511

Allow MediaProvider to traverse /mnt/media_rw.
As an optimization, platform components like MediaProvider may choose to shortcut past the FUSE daemon and return open file descriptors directly pointing at the underlying storage device. Now that we have a specific label for /mnt/media_rw, we need to grant search access to untrusted apps like MediaProvider. The actual access control is still managed by POSIX permissions on that directory. avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0 Bug: 21017105 Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511
6e1f405c · Jeff Sharkey · 807d8d02 · 6e1f405c
Commit 6e1f405c authored 9 years ago by Jeff Sharkey
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,6 +72,10 @@ allow untrusted_app mtp_device:chr_file rw_file_perms;
 allow untrusted_app media_rw_data_file:dir create_dir_perms;
 allow untrusted_app media_rw_data_file:file create_file_perms;
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app mnt_media_rw_file:dir search;
 # Write to /cache.
 allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;