allow kernel to use vold file descriptors

Vold opens ASEC containsers on the sdcard, or OBB files from app's home directories, both of which are supplied by vold. We need to allow kernel threads to access those file descriptors. Addresses the following denial: loop0 : type=1400 audit(0.0:28): avc: denied { use } for path="/mnt/secure/asec/smdl1159865753.tmp.asec" dev="mmcblk1" ino=19 scontext=u:r:kernel:s0 tcontext=u:r:vold:s0 tclass=fd permissive=0 Bug: 19516891 Change-Id: I5a3607b48f5e0e504e4b3fcaec19152c3784f49d

allow kernel to use vold file descriptors
Vold opens ASEC containsers on the sdcard, or OBB files from app's home directories, both of which are supplied by vold. We need to allow kernel threads to access those file descriptors. Addresses the following denial: loop0 : type=1400 audit(0.0:28): avc: denied { use } for path="/mnt/secure/asec/smdl1159865753.tmp.asec" dev="mmcblk1" ino=19 scontext=u:r:kernel:s0 tcontext=u:r:vold:s0 tclass=fd permissive=0 Bug: 19516891 Change-Id: I5a3607b48f5e0e504e4b3fcaec19152c3784f49d
9fe810b7 · Nick Kralevich · ab4be88e · 9fe810b7
Commit 9fe810b7 authored 10 years ago by Nick Kralevich
--- a/kernel.te
+++ b/kernel.te
@@ -45,6 +45,7 @@ allow kernel self:security setcheckreqprot;
 # MTP sync (b/15835289)
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel vold:fd use;
 allow kernel sdcard_type:file { read write };
 # Allow the kernel to read OBB files from app directories. (b/17428116)