From b80bdef034b603efc7333f678b2cef2ce26273f6 Mon Sep 17 00:00:00 2001
From: Daniel Rosenberg <drosen@google.com>
Date: Tue, 5 Apr 2016 10:34:53 -0700
Subject: [PATCH] Allow search/getattr access to media_rw_data_file for now.

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: system_server, dumpstate, and bluetooth

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27932396
Change-Id: I294cfe23269b7959586252250f5527f13e60529b
---
 bluetooth.te     | 5 +++++
 dumpstate.te     | 5 +++++
 system_server.te | 5 +++++
 3 files changed, 15 insertions(+)

diff --git a/bluetooth.te b/bluetooth.te
index b143726b7..ff664abbb 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -54,6 +54,11 @@ unix_socket_connect(bluetooth, sap_uim, rild)
 # /data/data/com.android.shell/files/bugreports/bugreport-*.
 allow bluetooth shell_data_file:file read;
 
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow bluetooth media_rw_data_file:dir search;
+
 ###
 ### Neverallow rules
 ###
diff --git a/dumpstate.te b/dumpstate.te
index 19b8adf64..8f64a0c59 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -137,3 +137,8 @@ allow dumpstate debugfs_tracing:dir r_dir_perms;
 allow dumpstate debugfs_tracing:file rw_file_perms;
 allow dumpstate debugfs_trace_marker:file getattr;
 allow dumpstate atrace_exec:file rx_file_perms;
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow dumpstate media_rw_data_file:dir getattr;
diff --git a/system_server.te b/system_server.te
index 3cba2892f..8d8c30350 100644
--- a/system_server.te
+++ b/system_server.te
@@ -492,6 +492,11 @@ allow system_server adbd:unix_stream_socket connectto;
 allow system_server adbd:fd use;
 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
 
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow system_server media_rw_data_file:dir search;
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab