isolated_app.te: Give permissions for using sdcardfs

Sdcardfs does not use a userspace daemon, so the secontext is currently the caller's when accessing files. This can be removed if sdcardfs is modified to change the secontext before calling into the lower filesystem. Bug: 32735101 Test: Run any app that falls under isolated_app. Test: See bug for example Change-Id: I9433aa0f14ff0d5a518249079e07f57e55b09bcf

isolated_app.te: Give permissions for using sdcardfs
02bf4aad · Daniel Rosenberg · 9f1e2b53 · 02bf4aad
Commit 02bf4aad authored 8 years ago by Daniel Rosenberg
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -30,8 +30,10 @@ allow isolated_app self:process ptrace;
 # neverallow rules below.
 # TODO: consider removing write/append. We want to limit isolated_apps
 # ability to mutate files of any type.
-allow isolated_app sdcard_type:file { read write append getattr lock };
-auditallow isolated_app sdcard_type:file { write append };
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };

 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the