From 6e1f405c8b8b5d91a350ff14d1100930d7bff844 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Tue, 19 May 2015 13:52:51 -0700
Subject: [PATCH] Allow MediaProvider to traverse /mnt/media_rw.

As an optimization, platform components like MediaProvider may choose
to shortcut past the FUSE daemon and return open file descriptors
directly pointing at the underlying storage device.

Now that we have a specific label for /mnt/media_rw, we need to grant
search access to untrusted apps like MediaProvider.  The actual
access control is still managed by POSIX permissions on that
directory.

avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0

Bug: 21017105
Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511
---
 untrusted_app.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/untrusted_app.te b/untrusted_app.te
index 79eb752a4..e451c5d6b 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,6 +72,10 @@ allow untrusted_app mtp_device:chr_file rw_file_perms;
 allow untrusted_app media_rw_data_file:dir create_dir_perms;
 allow untrusted_app media_rw_data_file:file create_file_perms;
 
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app mnt_media_rw_file:dir search;
+
 # Write to /cache.
 allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;
-- 
GitLab