From c195ec31485766d065d3e3101268d5ce727ff4c0 Mon Sep 17 00:00:00 2001
From: William Roberts <w.roberts@sta.samsung.com>
Date: Wed, 6 Mar 2013 16:26:36 -0800
Subject: [PATCH] Split internal and external sdcards
Two new types are introduced:
sdcard_internal
sdcard_external
The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.
The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.
Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
---
app.te | 20 +++++++++++++-------
attributes | 3 +++
drmserver.te | 2 +-
file.te | 3 ++-
genfs_contexts | 4 ++--
mediaserver.te | 4 ++--
rild.te | 2 +-
sdcardd.te | 2 +-
shell.te | 4 ++--
system.te | 2 +-
vold.te | 6 +++---
zygote.te | 2 +-
12 files changed, 32 insertions(+), 22 deletions(-)
diff --git a/app.te b/app.te
index de7b7d05d..cb8091b64 100644
--- a/app.te
+++ b/app.te
@@ -89,8 +89,8 @@ net_domain(browser_app)
allow platformappdomain platform_app_data_file:dir create_dir_perms;
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
# App sdcard file accesses
-allow platformappdomain sdcard:dir create_dir_perms;
-allow platformappdomain sdcard:file create_file_perms;
+allow platformappdomain sdcard_type:dir create_dir_perms;
+allow platformappdomain sdcard_type:file create_file_perms;
# System data file accesses (e.g, shared objects from the lib directory)
allow platformappdomain system_data_file:file { execute open };
@@ -119,11 +119,17 @@ if (app_bluetooth or android_cts) {
# No specific SELinux class for bluetooth sockets presently.
allow untrusted_app self:socket *;
}
-# SDCard rw access.
-bool app_sdcard_rw true;
-if (app_sdcard_rw) {
-allow untrusted_app sdcard:dir create_dir_perms;
-allow untrusted_app sdcard:file create_file_perms;
+# Internal SDCard rw access.
+bool app_internal_sdcard_rw true;
+if (app_internal_sdcard_rw) {
+allow untrusted_app sdcard_internal:dir create_dir_perms;
+allow untrusted_app sdcard_internal:file create_file_perms;
+}
+# External SDCard rw access.
+bool app_external_sdcard_rw true;
+if (app_external_sdcard_rw) {
+allow untrusted_app sdcard_external:dir create_dir_perms;
+allow untrusted_app sdcard_external:file create_file_perms;
}
# Native app support.
bool app_ndk false;
diff --git a/attributes b/attributes
index ef4a1708e..7d491e2d4 100644
--- a/attributes
+++ b/attributes
@@ -24,6 +24,9 @@ attribute data_file_type;
# All types use for sysfs files.
attribute sysfs_type;
+# Attribute used for all sdcards
+attribute sdcard_type;
+
# All types used for nodes/hosts.
attribute node_type;
diff --git a/drmserver.te b/drmserver.te
index 63286d558..dcf3cc952 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -14,7 +14,7 @@ binder_service(drmserver)
# Perform Binder IPC to mediaserver
binder_call(drmserver, mediaserver)
-allow drmserver sdcard:dir search;
+allow drmserver sdcard_type:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver self:{ tcp_socket udp_socket } *;
diff --git a/file.te b/file.te
index 484b8fe74..65788df5b 100644
--- a/file.te
+++ b/file.te
@@ -16,7 +16,8 @@ type devpts, fs_type, mlstrustedobject;
type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
-type sdcard, fs_type, mlstrustedobject;
+type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
+type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, mlstrustedobject;
# File types
diff --git a/genfs_contexts b/genfs_contexts
index ff633a76b..2607b9dab 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -9,6 +9,6 @@ genfscon cgroup / u:object_r:cgroup:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:sdcard:s0
+genfscon vfat / u:object_r:sdcard_external:s0
genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:sdcard:s0
+genfscon fuse / u:object_r:sdcard_internal:s0
diff --git a/mediaserver.te b/mediaserver.te
index f941c6a63..0696331cd 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -8,7 +8,7 @@ net_domain(mediaserver)
init_daemon_domain(mediaserver)
unix_socket_connect(mediaserver, property, init)
-r_dir_file(mediaserver, sdcard)
+r_dir_file(mediaserver, sdcard_type)
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
@@ -18,7 +18,7 @@ binder_service(mediaserver)
allow mediaserver kernel:system module_request;
allow mediaserver app_data_file:dir search;
allow mediaserver app_data_file:file r_file_perms;
-allow mediaserver sdcard:file write;
+allow mediaserver sdcard_type:file write;
allow mediaserver camera_device:chr_file rw_file_perms;
allow mediaserver graphics_device:chr_file rw_file_perms;
allow mediaserver video_device:chr_file rw_file_perms;
diff --git a/rild.te b/rild.te
index 917634807..c331bb327 100644
--- a/rild.te
+++ b/rild.te
@@ -23,7 +23,7 @@ allow rild bluetooth_efs_file:dir r_dir_perms;
allow rild radio_data_file:dir r_dir_perms;
allow rild radio_data_file:file rw_file_perms;
allow rild radio_device:lnk_file r_file_perms;
-allow rild sdcard:dir r_dir_perms;
+allow rild sdcard_type:dir r_dir_perms;
allow rild system_data_file:dir create_dir_perms;
allow rild system_data_file:file create_file_perms;
allow rild system_file:file x_file_perms;
diff --git a/sdcardd.te b/sdcardd.te
index 1281ae4fe..4445183a0 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -6,7 +6,7 @@ init_daemon_domain(sdcardd)
allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton;
-allow sdcardd sdcard:filesystem mount;
+allow sdcardd sdcard_type:filesystem mount;
allow sdcardd self:capability { setuid setgid dac_override sys_admin };
allow sdcardd system_data_file:dir create_dir_perms;
allow sdcardd system_data_file:file create_file_perms;
diff --git a/shell.te b/shell.te
index 5b4d843e2..bf9ee44a5 100644
--- a/shell.te
+++ b/shell.te
@@ -13,8 +13,8 @@ allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
# Access sdcard.
-allow shell sdcard:dir rw_dir_perms;
-allow shell sdcard:file create_file_perms;
+allow shell sdcard_type:dir rw_dir_perms;
+allow shell sdcard_type:file create_file_perms;
r_dir_file(shell, apk_data_file)
allow shell dalvikcache_data_file:file write;
diff --git a/system.te b/system.te
index a87251659..62240feb9 100644
--- a/system.te
+++ b/system.te
@@ -28,7 +28,7 @@ selinux_getenforce(system)
selinux_getenforce(system_app)
# Settings app reads sdcard for storage stats
-allow system_app sdcard:dir r_dir_perms;
+allow system_app sdcard_type:dir r_dir_perms;
bool manage_selinux true;
if (manage_selinux) {
diff --git a/vold.te b/vold.te
index 60d6a3729..c1b905503 100644
--- a/vold.te
+++ b/vold.te
@@ -10,9 +10,9 @@ allow vold block_device:blk_file create_file_perms;
allow vold block_device:lnk_file read;
allow vold devpts:chr_file rw_file_perms;
allow vold rootfs:dir mounton;
-allow vold sdcard:dir mounton;
-allow vold sdcard:filesystem { mount remount unmount };
-allow vold sdcard:dir create_dir_perms;
+allow vold sdcard_type:dir mounton;
+allow vold sdcard_type:filesystem { mount remount unmount };
+allow vold sdcard_type:dir create_dir_perms;
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
diff --git a/zygote.te b/zygote.te
index 743af36d4..24e4189e0 100644
--- a/zygote.te
+++ b/zygote.te
@@ -33,7 +33,7 @@ allow zygote rootfs:file r_file_perms;
# Setting up /storage/emulated.
allow zygote rootfs:dir mounton;
-allow zygote sdcard:dir { write search setattr create add_name mounton };
+allow zygote sdcard_type:dir { write search setattr create add_name mounton };
dontaudit zygote self:capability fsetid;
allow zygote tmpfs:dir { write create add_name setattr mounton };
allow zygote tmpfs:filesystem mount;
--
GitLab