Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev

cf8719e7 · Daniel Rosenberg · Android (Google) Code Review · 92aefee4 · 47fb4b9f · cf8719e7
Commit cf8719e7 authored 9 years ago by Daniel Rosenberg Committed by Android (Google) Code Review 9 years ago
--- a/app.te
+++ b/app.te
@@ -182,6 +182,8 @@ allow appdomain mnt_user_file:lnk_file r_file_perms;
 # Read/write visible storage
 allow appdomain fuse:dir create_dir_perms;
 allow appdomain fuse:file create_file_perms;
+allow appdomain sdcardfs:dir create_dir_perms;
+allow appdomain sdcardfs:file create_file_perms;
 # Access OBBs (vfat images) mounted by vold (b/17633509)
 # File write access allowed for FDs returned through Storage Access Framework

--- a/file.te
+++ b/file.te
@@ -29,6 +29,7 @@ type sysfs_hwrandom, fs_type, sysfs_type;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
 type sysfs_mac_address, fs_type, sysfs_type;
+type configfs, fs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 # /sys/module/lowmemorykiller
@@ -41,6 +42,7 @@ type tmpfs, fs_type;
 type shm, fs_type;
 type mqueue, fs_type;
 type fuse, sdcard_type, fs_type, mlstrustedobject;
+type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;

--- a/genfs_contexts
+++ b/genfs_contexts
@@ -35,6 +35,8 @@ genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
 genfscon pstore / u:object_r:pstorefs:s0
 genfscon functionfs / u:object_r:functionfs:s0
 genfscon usbfs / u:object_r:usbfs:s0

--- a/init.te
+++ b/init.te
@@ -61,6 +61,10 @@ allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
 allow init cpuctl_device:dir { create mounton };
+# /config
+allow init configfs:dir mounton;
+allow init configfs:dir create_dir_perms;
 # Use tmpfs as /data, used for booting when /data is encrypted
 allow init tmpfs:dir relabelfrom;

--- a/system_server.te
+++ b/system_server.te
@@ -481,6 +481,10 @@ userdebug_or_eng(`
 allow system_server vold:fd use;
 allow system_server fuse_device:chr_file { read write ioctl getattr };
+# For configuring sdcardfs
+allow system_server configfs:dir { create_dir_perms };
+allow system_server configfs:file { getattr open unlink write };
 # Connect to adbd and use a socket transferred from it.
 # Used for e.g. jdwp.
 allow system_server adbd:unix_stream_socket connectto;

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -170,6 +170,7 @@ neverallow untrusted_app property_type:property_service set;
 neverallow untrusted_app {
  fs_type
  -fuse                     # sdcard
+  -sdcardfs                 # sdcard
  file_type
  -app_data_file            # The apps sandbox itself
  -media_rw_data_file       # Internal storage. Known that apps can

--- a/zygote.te
+++ b/zygote.te
@@ -54,6 +54,7 @@ allow zygote proc_cpuinfo:file mounton;
 allow zygote rootfs:dir mounton;
 allow zygote tmpfs:filesystem { mount unmount };
 allow zygote fuse:filesystem { unmount };
+allow zygote sdcardfs:filesystem { unmount };
 # Allowed to create user-specific storage source if started before vold
 allow zygote mnt_user_file:dir create_dir_perms;