Allow search/getattr access to media_rw_data_file for now.

With sdcardfs, we no longer have a separate sdcardd acting as an intermediate between the outside world and /data/media. Unless we modify sdcardfs to change contexts, we need these. Added for: system_server, dumpstate, and bluetooth Remove this patch if sdcardfs is updated to change the secontext of fs accesses. Bug: 27932396 Change-Id: I294cfe23269b7959586252250f5527f13e60529b

Allow search/getattr access to media_rw_data_file for now.
b80bdef0 · Daniel Rosenberg · a2ed1cea · b80bdef0 · b80bdef0 · b80bdef0
Commit b80bdef0 authored 8 years ago by Daniel Rosenberg
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -54,6 +54,11 @@ unix_socket_connect(bluetooth, sap_uim, rild)
 # /data/data/com.android.shell/files/bugreports/bugreport-*.
 allow bluetooth shell_data_file:file read;

+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow bluetooth media_rw_data_file:dir search;
+
 ###
 ### Neverallow rules
 ###

--- a/dumpstate.te
+++ b/dumpstate.te
@@ -137,3 +137,8 @@ allow dumpstate debugfs_tracing:dir r_dir_perms;
 allow dumpstate debugfs_tracing:file rw_file_perms;
 allow dumpstate debugfs_trace_marker:file getattr;
 allow dumpstate atrace_exec:file rx_file_perms;
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow dumpstate media_rw_data_file:dir getattr;
--- a/system_server.te
+++ b/system_server.te
@@ -492,6 +492,11 @@ allow system_server adbd:unix_stream_socket connectto;
 allow system_server adbd:fd use;
 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };

+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow system_server media_rw_data_file:dir search;
+
 ###
 ### Neverallow rules
 ###