sdcard policy and fuse device label.

80ea1d23 · William Roberts · Stephen Smalley · 7fa2f9e0 · 80ea1d23 · 80ea1d23
Commit 80ea1d23 authored 12 years ago by William Roberts Committed by Stephen Smalley 12 years ago
--- a/device.te
+++ b/device.te
@@ -37,6 +37,7 @@ type urandom_device, dev_type;
 type video_device, dev_type;
 type vcs_device, dev_type;
 type zero_device, dev_type;
+type fuse_device, dev_type;
 # All devices have a uart for the hci
 # attach service. The uart dev node

--- a/file_contexts
+++ b/file_contexts
@@ -25,6 +25,7 @@
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/full		u:object_r:full_device:s0
+/dev/fuse		u:object_r:fuse_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0
 /dev/input(/.*)		u:object_r:input_device:s0
 /dev/kmem		u:object_r:kmem_device:s0
@@ -96,6 +97,7 @@
 /system/bin/bluetoothd	u:object_r:bluetoothd_exec:s0
 /system/bin/wpa_supplicant	u:object_r:wpa_exec:s0
 /system/bin/qemud	u:object_r:qemud_exec:s0
+/system/bin/sdcard      u:object_r:sdcardd_exec:s0
 /system/xbin/su		u:object_r:su_exec:s0
 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
 #############################

--- a/sdcardd.te
+++ b/sdcardd.te
+type sdcardd, domain;
+type sdcardd_exec, exec_type, file_type;
+init_daemon_domain(sdcardd)
+allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd fuse_device:chr_file rw_file_perms;
+allow sdcardd rootfs:dir mounton;
+allow sdcardd sdcard:filesystem mount;
+allow sdcardd self:capability { setuid setgid };
+allow sdcardd system_data_file:dir  create_dir_perms;
+allow sdcardd system_data_file:file create_file_perms;