From 9fe810b7392c1c1ca17b7700eab88ccdf8fa9d2d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 25 Feb 2015 15:14:09 -0800
Subject: [PATCH] allow kernel to use vold file descriptors

Vold opens ASEC containsers on the sdcard, or OBB files from app's
home directories, both of which are supplied by vold. We need to
allow kernel threads to access those file descriptors.

Addresses the following denial:

  loop0   : type=1400 audit(0.0:28): avc: denied { use } for path="/mnt/secure/asec/smdl1159865753.tmp.asec" dev="mmcblk1" ino=19 scontext=u:r:kernel:s0 tcontext=u:r:vold:s0 tclass=fd permissive=0

Bug: 19516891
Change-Id: I5a3607b48f5e0e504e4b3fcaec19152c3784f49d
---
 kernel.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel.te b/kernel.te
index fce05ad35..fa8ccd523 100644
--- a/kernel.te
+++ b/kernel.te
@@ -45,6 +45,7 @@ allow kernel self:security setcheckreqprot;
 
 # MTP sync (b/15835289)
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel vold:fd use;
 allow kernel sdcard_type:file { read write };
 
 # Allow the kernel to read OBB files from app directories. (b/17428116)
-- 
GitLab