Merge "Label /data/media with its own type and allow access."

file.te

@@ -60,6 +60,7 @@ type bluetooth_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type media_data_file, file_type, data_file_type;
+type media_rw_data_file, file_type, data_file_type;
 type nfc_data_file, file_type, data_file_type;
 type radio_data_file, file_type, data_file_type;
 type systemkeys_data_file, file_type, data_file_type;

file_contexts

@@ -170,6 +170,7 @@
 /data/app-private/vmdl.*\.tmp	u:object_r:apk_private_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/media(/.*)?	u:object_r:media_rw_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0

platform_app.te

@@ -39,3 +39,6 @@ allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_
 # App sdcard file accesses
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir create_dir_perms;
+allow platformappdomain media_rw_data_file:file create_file_perms;

sdcardd.te

@@ -3,3 +3,7 @@ type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)
 unconfined_domain(sdcardd)
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
+allow sdcardd media_rw_data_file:dir create_dir_perms;
+allow sdcardd media_rw_data_file:file create_file_perms;