From 47fb4b9fc46fe2675b509874da340797fc43a947 Mon Sep 17 00:00:00 2001
From: Daniel Rosenberg <drosen@google.com>
Date: Tue, 1 Mar 2016 16:13:50 -0800
Subject: [PATCH] sepolicy: Add policy for sdcardfs and configfs
Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983
---
app.te | 2 ++
file.te | 2 ++
genfs_contexts | 2 ++
init.te | 4 ++++
system_server.te | 4 ++++
untrusted_app.te | 1 +
zygote.te | 1 +
7 files changed, 16 insertions(+)
diff --git a/app.te b/app.te
index b89d4e15c..b3968538d 100644
--- a/app.te
+++ b/app.te
@@ -165,6 +165,8 @@ allow appdomain mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
allow appdomain fuse:dir create_dir_perms;
allow appdomain fuse:file create_file_perms;
+allow appdomain sdcardfs:dir create_dir_perms;
+allow appdomain sdcardfs:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
diff --git a/file.te b/file.te
index 685cfe084..9ac51e45f 100644
--- a/file.te
+++ b/file.te
@@ -27,6 +27,7 @@ type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
+type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
@@ -39,6 +40,7 @@ type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
type fuse, sdcard_type, fs_type, mlstrustedobject;
+type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
typealias fuse alias sdcard_internal;
typealias vfat alias sdcard_external;
diff --git a/genfs_contexts b/genfs_contexts
index 3f865c4e4..cb2835259 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -34,6 +34,8 @@ genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
diff --git a/init.te b/init.te
index 1baeeeeb6..9abd5856a 100644
--- a/init.te
+++ b/init.te
@@ -61,6 +61,10 @@ allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cpuctl_device:dir { create mounton };
+# /config
+allow init configfs:dir mounton;
+allow init configfs:dir create_dir_perms;
+
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
diff --git a/system_server.te b/system_server.te
index 2e131b34f..4764e38dc 100644
--- a/system_server.te
+++ b/system_server.te
@@ -465,6 +465,10 @@ userdebug_or_eng(`
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
+# For configuring sdcardfs
+allow system_server configfs:dir { create_dir_perms };
+allow system_server configfs:file { getattr open unlink write };
+
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
allow system_server adbd:unix_stream_socket connectto;
diff --git a/untrusted_app.te b/untrusted_app.te
index 30364b035..9155333d4 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -167,6 +167,7 @@ neverallow untrusted_app property_type:property_service set;
neverallow untrusted_app {
fs_type
-fuse # sdcard
+ -sdcardfs # sdcard
file_type
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
diff --git a/zygote.te b/zygote.te
index 013d8c6aa..89dccfcf7 100644
--- a/zygote.te
+++ b/zygote.te
@@ -54,6 +54,7 @@ allow zygote proc_cpuinfo:file mounton;
allow zygote rootfs:dir mounton;
allow zygote tmpfs:filesystem { mount unmount };
allow zygote fuse:filesystem { unmount };
+allow zygote sdcardfs:filesystem { unmount };
# Allowed to create user-specific storage source if started before vold
allow zygote mnt_user_file:dir create_dir_perms;
--
GitLab