Split internal and external sdcards

Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5

Split internal and external sdcards
Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
c195ec31 · William Roberts · Stephen Smalley · 1ed1effa · c195ec31 · c195ec31
Commit c195ec31 authored 12 years ago by William Roberts Committed by Stephen Smalley 12 years ago
--- a/app.te
+++ b/app.te
@@ -89,8 +89,8 @@ net_domain(browser_app)
 allow platformappdomain platform_app_data_file:dir create_dir_perms;
 allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
 # App sdcard file accesses
-allow platformappdomain sdcard:dir create_dir_perms;
-allow platformappdomain sdcard:file create_file_perms;
+allow platformappdomain sdcard_type:dir create_dir_perms;
+allow platformappdomain sdcard_type:file create_file_perms;
 # System data file accesses (e.g, shared objects from the lib directory)
 allow platformappdomain system_data_file:file { execute open };

@@ -119,11 +119,17 @@ if (app_bluetooth or android_cts) {
 # No specific SELinux class for bluetooth sockets presently.
 allow untrusted_app self:socket *;
 }
-# SDCard rw access.
-bool app_sdcard_rw true;
-if (app_sdcard_rw) {
-allow untrusted_app sdcard:dir create_dir_perms;
-allow untrusted_app sdcard:file create_file_perms;
+# Internal SDCard rw access.
+bool app_internal_sdcard_rw true;
+if (app_internal_sdcard_rw) {
+allow untrusted_app sdcard_internal:dir create_dir_perms;
+allow untrusted_app sdcard_internal:file create_file_perms;
+}
+# External SDCard rw access.
+bool app_external_sdcard_rw true;
+if (app_external_sdcard_rw) {
+allow untrusted_app sdcard_external:dir create_dir_perms;
+allow untrusted_app sdcard_external:file create_file_perms;
 }
 # Native app support.
 bool app_ndk false;

--- a/attributes
+++ b/attributes
@@ -24,6 +24,9 @@ attribute data_file_type;
 # All types use for sysfs files.
 attribute sysfs_type;

+# Attribute used for all sdcards
+attribute sdcard_type;
+
 # All types used for nodes/hosts.
 attribute node_type;


--- a/drmserver.te
+++ b/drmserver.te
@@ -14,7 +14,7 @@ binder_service(drmserver)
 # Perform Binder IPC to mediaserver
 binder_call(drmserver, mediaserver)

-allow drmserver sdcard:dir search;
+allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver self:{ tcp_socket udp_socket } *;

--- a/file.te
+++ b/file.te
@@ -16,7 +16,8 @@ type devpts, fs_type, mlstrustedobject;
 type tmpfs, fs_type;
 type shm, fs_type;
 type mqueue, fs_type;
-type sdcard, fs_type, mlstrustedobject;
+type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
+type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, mlstrustedobject;

 # File types

--- a/genfs_contexts
+++ b/genfs_contexts
@@ -9,6 +9,6 @@ genfscon cgroup / u:object_r:cgroup:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:sdcard:s0
+genfscon vfat / u:object_r:sdcard_external:s0
 genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:sdcard:s0
+genfscon fuse / u:object_r:sdcard_internal:s0
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -8,7 +8,7 @@ net_domain(mediaserver)
 init_daemon_domain(mediaserver)
 unix_socket_connect(mediaserver, property, init)

-r_dir_file(mediaserver, sdcard)
+r_dir_file(mediaserver, sdcard_type)

 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
@@ -18,7 +18,7 @@ binder_service(mediaserver)
 allow mediaserver kernel:system module_request;
 allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file r_file_perms;
-allow mediaserver sdcard:file write;
+allow mediaserver sdcard_type:file write;
 allow mediaserver camera_device:chr_file rw_file_perms;
 allow mediaserver graphics_device:chr_file rw_file_perms;
 allow mediaserver video_device:chr_file rw_file_perms;

--- a/rild.te
+++ b/rild.te
@@ -23,7 +23,7 @@ allow rild bluetooth_efs_file:dir r_dir_perms;
 allow rild radio_data_file:dir r_dir_perms;
 allow rild radio_data_file:file rw_file_perms;
 allow rild radio_device:lnk_file r_file_perms;
-allow rild sdcard:dir r_dir_perms;
+allow rild sdcard_type:dir r_dir_perms;
 allow rild system_data_file:dir create_dir_perms;
 allow rild system_data_file:file create_file_perms;
 allow rild system_file:file x_file_perms;

--- a/sdcardd.te
+++ b/sdcardd.te
@@ -6,7 +6,7 @@ init_daemon_domain(sdcardd)
 allow sdcardd cgroup:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;
-allow sdcardd sdcard:filesystem mount;
+allow sdcardd sdcard_type:filesystem mount;
 allow sdcardd self:capability { setuid setgid dac_override sys_admin };
 allow sdcardd system_data_file:dir  create_dir_perms;
 allow sdcardd system_data_file:file create_file_perms;
--- a/shell.te
+++ b/shell.te
@@ -13,8 +13,8 @@ allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;

 # Access sdcard.
-allow shell sdcard:dir rw_dir_perms;
-allow shell sdcard:file create_file_perms;
+allow shell sdcard_type:dir rw_dir_perms;
+allow shell sdcard_type:file create_file_perms;

 r_dir_file(shell, apk_data_file)
 allow shell dalvikcache_data_file:file write;

--- a/system.te
+++ b/system.te
@@ -28,7 +28,7 @@ selinux_getenforce(system)
 selinux_getenforce(system_app)

 # Settings app reads sdcard for storage stats
-allow system_app sdcard:dir r_dir_perms;
+allow system_app sdcard_type:dir r_dir_perms;

 bool manage_selinux true;
 if (manage_selinux) {

--- a/vold.te
+++ b/vold.te
@@ -10,9 +10,9 @@ allow vold block_device:blk_file create_file_perms;
 allow vold block_device:lnk_file read;
 allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
-allow vold sdcard:dir mounton;
-allow vold sdcard:filesystem { mount remount unmount };
-allow vold sdcard:dir create_dir_perms;
+allow vold sdcard_type:dir mounton;
+allow vold sdcard_type:filesystem { mount remount unmount };
+allow vold sdcard_type:dir create_dir_perms;
 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;

--- a/zygote.te
+++ b/zygote.te
@@ -33,7 +33,7 @@ allow zygote rootfs:file r_file_perms;

 # Setting up /storage/emulated.
 allow zygote rootfs:dir mounton;
-allow zygote sdcard:dir { write search setattr create add_name mounton };
+allow zygote sdcard_type:dir { write search setattr create add_name mounton };
 dontaudit zygote self:capability fsetid;
 allow zygote tmpfs:dir { write create add_name setattr mounton };
 allow zygote tmpfs:filesystem mount;