From 5fc825c91715ad0b983b42986e93070eb7ce333d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 4 Sep 2014 11:04:23 -0700
Subject: [PATCH] sdcardd: grant unmount

If the sdcard daemon is restarted (crash or otherwise), one of the first
things it attempts to do is umount the previously mounted /mnt/shell/emulated
fuse filesystem, which is denied by SELinux with the following denial:

  sdcard  : type=1400 audit(0.0:6997): avc: denied { unmount } for scontext=u:r:sdcardd:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=0

Allow the operation.

Steps to reproduce:

  1) adb shell into the device and su to root
  2) run "kill -9 [PID OF SDCARD]

Expected:

  sdcard daemon successfully restarts without error message.

Actual:

  SELinux denial above, plus attempts to mount a new filesystem
  on top of the existing filesystem.

(cherrypicked from commit abfd427a3226a8bb696e5e5b9239f5445a680f6c)

Bug: 17383009
Change-Id: I386bfc98e2b5b32b1d11408f7cfbd6e3c1af68f4
---
 sdcardd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdcardd.te b/sdcardd.te
index ad5c58dfb..5ea77a90e 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -6,7 +6,7 @@ init_daemon_domain(sdcardd)
 allow sdcardd cgroup:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;
-allow sdcardd sdcard_type:filesystem mount;
+allow sdcardd sdcard_type:filesystem { mount unmount };
 allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
 
 allow sdcardd sdcard_type:dir create_dir_perms;
-- 
GitLab