From b0a99513b299b59094577c01b5fe42f52def7de7 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 9 Sep 2014 14:12:18 -0700
Subject: [PATCH] Allow kernel thread to read app data files

When vold mounts an OBB on behalf of another application, the kernel
spins up the "loop0" thread to perform the mount operation. Grant
the kernel thread the ability to read app data files, so the mount
operation can succeed.

Steps to reproduce:

  1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java

Expected:

  1) All tests pass

Actual:

  Test failure, with the following error message:

  loop0   : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0
  Vold    : Image mount failed (I/O error)
  MountService: Couldn't mount OBB file: -1
  StorageManager: Received message.  path=/data/data/com.android.cts.stub/files/test1.obb, state=21
  TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest)
  TestRunner: ----- begin exception -----
  TestRunner: junit.framework.AssertionFailedError: OBB should be mounted
  TestRunner:    at junit.framework.Assert.fail(Assert.java:50)
  TestRunner:    at junit.framework.Assert.assertTrue(Assert.java:20)
  TestRunner:    at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235)

Bug: 17428116
Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
---
 kernel.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel.te b/kernel.te
index d5a75b4d6..3a8026506 100644
--- a/kernel.te
+++ b/kernel.te
@@ -38,6 +38,13 @@ allow kernel self:security setcheckreqprot;
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
 allow kernel sdcard_type:file { read write };
 
+# Allow the kernel to read OBB files from app directories. (b/17428116)
+# Kernel thread "loop0" reads a vold supplied file descriptor.
+# Fixes CTS tests:
+#  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
+#  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel app_data_file:file read;
+
 ###
 ### neverallow rules
 ###
-- 
GitLab