From 15abc9504b825b5e84ad78b7328d27faf8801cfb Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 29 Oct 2013 14:42:39 -0400
Subject: [PATCH] Confine sdcardd, but leave it permissive for now.

Change-Id: I1eba1535d650a09ee7640cb7f3664202be4a0a55
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 sdcardd.te | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/sdcardd.te b/sdcardd.te
index f9e72b7ac..4cf080a23 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,9 +1,23 @@
 type sdcardd, domain;
+permissive sdcardd;
 type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)
-unconfined_domain(sdcardd)
+
+allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd fuse_device:chr_file rw_file_perms;
+allow sdcardd rootfs:dir mounton;
+allow sdcardd sdcard_type:filesystem mount;
+allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
 
 type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
 allow sdcardd media_rw_data_file:dir create_dir_perms;
 allow sdcardd media_rw_data_file:file create_file_perms;
+
+# Read /data/system/packages.list.
+allow sdcardd system_data_file:file r_file_perms;
+
+# Compatibility for existing devices with /data/media in system_data_file.
+# TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file.
+allow sdcardd system_data_file:dir  create_dir_perms;
+allow sdcardd system_data_file:file create_file_perms;
-- 
GitLab