Skip to content
Snippets Groups Projects
Commit abef2555 authored by Jeff Sharkey's avatar Jeff Sharkey Committed by Android Git Automerger
Browse files

am 8a6ac553: am 73d9c2a9: Initial policy for expanded storage. 

* commit '8a6ac553':
  Initial policy for expanded storage.
parents 151a02a9 8a6ac553
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
app.te
+ 3
0
View file @ abef2555
...@@ -58,6 +58,9 @@ allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file ...@@ -58,6 +58,9 @@ allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file
allow appdomain system_data_file:dir r_dir_perms; allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute execute_no_trans open execmod }; allow appdomain system_data_file:file { execute execute_no_trans open execmod };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
# Keychain and user-trusted credentials # Keychain and user-trusted credentials
allow appdomain keychain_data_file:dir r_dir_perms; allow appdomain keychain_data_file:dir r_dir_perms;
allow appdomain keychain_data_file:file r_file_perms; allow appdomain keychain_data_file:file r_file_perms;
......
file.te
+ 1
0
View file @ abef2555
...@@ -86,6 +86,7 @@ type bootchart_data_file, file_type, data_file_type; ...@@ -86,6 +86,7 @@ type bootchart_data_file, file_type, data_file_type;
# Mount locations managed by vold # Mount locations managed by vold
type mnt_media_rw_file, file_type; type mnt_media_rw_file, file_type;
type mnt_user_file, file_type; type mnt_user_file, file_type;
type mnt_expand_file, file_type;
type storage_file, file_type; type storage_file, file_type;
# Label for storage dirs which are just mount stubs # Label for storage dirs which are just mount stubs
......
file_contexts
+ 15
0
View file @ abef2555
...@@ -190,6 +190,9 @@ ...@@ -190,6 +190,9 @@
############################# #############################
# Data files # Data files
# #
# NOTE: When modifying existing label rules, changes may also need to
# propagate to the "Expanded data files" section.
#
/data(/.*)? u:object_r:system_data_file:s0 /data(/.*)? u:object_r:system_data_file:s0
/data/.layout_version u:object_r:install_data_file:s0 /data/.layout_version u:object_r:install_data_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0 /data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
...@@ -244,6 +247,18 @@ ...@@ -244,6 +247,18 @@
# Bootchart data # Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0 /data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
#############################
# Expanded data files
#
/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
# coredump directory for userdebug/eng devices # coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0 /cores(/.*)? u:object_r:coredump_file:s0
......
system_server.te
+ 3
0
View file @ abef2555
...@@ -458,6 +458,9 @@ allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; ...@@ -458,6 +458,9 @@ allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
# we shouldn't be killed during unsafe removal # we shouldn't be killed during unsafe removal
allow system_server sdcard_type:dir { getattr search }; allow system_server sdcard_type:dir { getattr search };
# Traverse into expanded storage
allow system_server mnt_expand_file:dir r_dir_perms;
### ###
### Neverallow rules ### Neverallow rules
### ###
......
vold.te
+ 8
2
View file @ abef2555
...@@ -52,6 +52,12 @@ allow vold sdcard_type:filesystem { mount unmount remount }; ...@@ -52,6 +52,12 @@ allow vold sdcard_type:filesystem { mount unmount remount };
allow vold mnt_user_file:dir create_dir_perms; allow vold mnt_user_file:dir create_dir_perms;
allow vold mnt_user_file:lnk_file create_file_perms; allow vold mnt_user_file:lnk_file create_file_perms;
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { create_dir_perms mounton };
allow vold apk_data_file:dir { create getattr setattr };
allow vold media_rw_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
allow vold tmpfs:filesystem { mount unmount }; allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms; allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton; allow vold tmpfs:dir mounton;
...@@ -95,8 +101,8 @@ allow vold labeledfs:filesystem { mount unmount remount }; ...@@ -95,8 +101,8 @@ allow vold labeledfs:filesystem { mount unmount remount };
# XXX Split into a separate type? # XXX Split into a separate type?
allow vold efs_file:file rw_file_perms; allow vold efs_file:file rw_file_perms;
# Create and mount on /data/tmp_mnt. # Create and mount on /data/tmp_mnt and management of expansion mounts
allow vold system_data_file:dir { create rw_dir_perms mounton }; allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
# Set scheduling policy of kernel processes # Set scheduling policy of kernel processes
allow vold kernel:process setsched; allow vold kernel:process setsched;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment