From 73d9c2a97b232389ab1dd179ac72c2fbefc5482b Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Mon, 6 Apr 2015 16:21:54 -0700
Subject: [PATCH] Initial policy for expanded storage.
Expanded storage supports a subset of the features of the internal
data partition. Mirror that policy for consistency. vold is also
granted enough permissions to prepare initial directories.
avc: denied { write } for name="ext" dev="tmpfs" ino=3130 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { add_name } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { create } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { mounton } for path="/mnt/ext/57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { getattr } for path="/mnt/ext" dev="tmpfs" ino=3130 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=4471 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { getattr } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/media" dev="dm-0" ino=145153 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
avc: denied { rmdir } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=6380 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { create } for name="tmp" scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="tmp" dev="dm-0" ino=72578 scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
Bug: 19993667
Change-Id: I73c98b36e7c066f21650a9e16ea82c5a0ef3d6c5
---
app.te | 3 +++
file.te | 1 +
file_contexts | 15 +++++++++++++++
system_server.te | 3 +++
vold.te | 10 ++++++++--
5 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/app.te b/app.te
index 5917f7c6d..73fb68bd7 100644
--- a/app.te
+++ b/app.te
@@ -58,6 +58,9 @@ allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file
allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute execute_no_trans open execmod };
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
# Keychain and user-trusted credentials
allow appdomain keychain_data_file:dir r_dir_perms;
allow appdomain keychain_data_file:file r_file_perms;
diff --git a/file.te b/file.te
index bbfd665c8..25c3b7e29 100644
--- a/file.te
+++ b/file.te
@@ -86,6 +86,7 @@ type bootchart_data_file, file_type, data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
+type mnt_expand_file, file_type;
type storage_file, file_type;
# Label for storage dirs which are just mount stubs
diff --git a/file_contexts b/file_contexts
index 7ef7b3cdd..b66c2e07c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -190,6 +190,9 @@
#############################
# Data files
#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
/data(/.*)? u:object_r:system_data_file:s0
/data/.layout_version u:object_r:install_data_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
@@ -244,6 +247,18 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+#############################
+# Expanded data files
+#
+/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
+/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
diff --git a/system_server.te b/system_server.te
index 27fd704a9..02acf4e10 100644
--- a/system_server.te
+++ b/system_server.te
@@ -456,6 +456,9 @@ allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
# we shouldn't be killed during unsafe removal
allow system_server sdcard_type:dir { getattr search };
+# Traverse into expanded storage
+allow system_server mnt_expand_file:dir r_dir_perms;
+
###
### Neverallow rules
###
diff --git a/vold.te b/vold.te
index dfdc3d977..b534c1e8f 100644
--- a/vold.te
+++ b/vold.te
@@ -52,6 +52,12 @@ allow vold sdcard_type:filesystem { mount unmount remount };
allow vold mnt_user_file:dir create_dir_perms;
allow vold mnt_user_file:lnk_file create_file_perms;
+# Allow to create and mount expanded storage
+allow vold mnt_expand_file:dir { create_dir_perms mounton };
+allow vold apk_data_file:dir { create getattr setattr };
+allow vold media_rw_data_file:dir { create getattr setattr };
+allow vold shell_data_file:dir { create getattr setattr };
+
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
@@ -95,8 +101,8 @@ allow vold labeledfs:filesystem { mount unmount remount };
# XXX Split into a separate type?
allow vold efs_file:file rw_file_perms;
-# Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { create rw_dir_perms mounton };
+# Create and mount on /data/tmp_mnt and management of expansion mounts
+allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
--
GitLab