From c15090b315cc32d4bb55b5ff79b71b4383e1a793 Mon Sep 17 00:00:00 2001
From: Daniel Rosenberg <drosen@google.com>
Date: Tue, 1 Mar 2016 16:13:50 -0800
Subject: [PATCH] sepolicy: Add policy for sdcardfs and configfs
Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983
---
app.te | 2 ++
file.te | 2 ++
genfs_contexts | 2 ++
init.te | 4 ++++
system_server.te | 4 ++++
untrusted_app.te | 1 +
zygote.te | 1 +
7 files changed, 16 insertions(+)
diff --git a/app.te b/app.te
index 0d7b6001b..70b1c94e3 100644
--- a/app.te
+++ b/app.te
@@ -161,6 +161,8 @@ allow appdomain mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
allow appdomain fuse:dir create_dir_perms;
allow appdomain fuse:file create_file_perms;
+allow appdomain sdcardfs:dir create_dir_perms;
+allow appdomain sdcardfs:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
diff --git a/file.te b/file.te
index cab2a5e61..7b6b4a9c0 100644
--- a/file.te
+++ b/file.te
@@ -29,6 +29,7 @@ type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
+type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
@@ -44,6 +45,7 @@ type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
type fuse, sdcard_type, fs_type, mlstrustedobject;
+type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
typealias fuse alias sdcard_internal;
typealias vfat alias sdcard_external;
diff --git a/genfs_contexts b/genfs_contexts
index 891c686fb..81749fd1c 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -37,6 +37,8 @@ genfscon vfat / u:object_r:vfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon tracefs / u:object_r:debugfs_tracing:s0
genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
diff --git a/init.te b/init.te
index 1845fa234..889598562 100644
--- a/init.te
+++ b/init.te
@@ -61,6 +61,10 @@ allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cpuctl_device:dir { create mounton };
+# /config
+allow init configfs:dir mounton;
+allow init configfs:dir create_dir_perms;
+
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
diff --git a/system_server.te b/system_server.te
index fb864caeb..a84812a39 100644
--- a/system_server.te
+++ b/system_server.te
@@ -440,6 +440,10 @@ userdebug_or_eng(`
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
+# For configuring sdcardfs
+allow system_server configfs:dir { create_dir_perms };
+allow system_server configfs:file { getattr open unlink write };
+
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
allow system_server adbd:unix_stream_socket connectto;
diff --git a/untrusted_app.te b/untrusted_app.te
index 5e6c1b695..8289dce1c 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -150,6 +150,7 @@ neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr
neverallow untrusted_app {
fs_type
-fuse # sdcard
+ -sdcardfs # sdcard
file_type
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
diff --git a/zygote.te b/zygote.te
index e1be061c9..83f2c7641 100644
--- a/zygote.te
+++ b/zygote.te
@@ -52,6 +52,7 @@ allow zygote proc_cpuinfo:file mounton;
allow zygote rootfs:dir mounton;
allow zygote tmpfs:filesystem { mount unmount };
allow zygote fuse:filesystem { unmount };
+allow zygote sdcardfs:filesystem { unmount };
# Allowed to create user-specific storage source if started before vold
allow zygote mnt_user_file:dir create_dir_perms;
--
GitLab