Skip to content
Snippets Groups Projects
Commit cf610692 authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Only allow app domains to access SDcard via fuse mount.


sdcard_internal is assigned to fuse mounts while sdcard_external
is assigned to vfat mounts by genfs_contexts.  Originally we
allowed access to both via the sdcard_type attribute, and access
via both means was required.  IIUC however, in 4.4 and later,
SDcard access should always occur via the fuse mount and we can
drop access to sdcard_external.

I think we can do the same for all domains except sdcardd.  However,
I cannot test this as the Nexus devices do not have external SDcard
support.

Also wondering if we should rename sdcard_internal type to fuse
and sdcard_external type to vfat to more clearly represent their
meaning, since one accesses the external SDcard via the fuse mount now.

Change-Id: Ie44221e9eea90e627a48df5398c456b86293f724
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 04b8a75c
No related branches found
No related tags found
No related merge requests found
...@@ -115,9 +115,9 @@ allow appdomain radio_data_file:file { read write getattr }; ...@@ -115,9 +115,9 @@ allow appdomain radio_data_file:file { read write getattr };
# cropping or taking user photos. # cropping or taking user photos.
allow untrusted_app system_app_data_file:file { read write getattr }; allow untrusted_app system_app_data_file:file { read write getattr };
# Access SDcard. # Access SDcard via the fuse mount.
allow appdomain sdcard_type:dir create_dir_perms; allow appdomain sdcard_internal:dir create_dir_perms;
allow appdomain sdcard_type:file create_file_perms; allow appdomain sdcard_internal:file create_file_perms;
# Allow apps to use the USB Accessory interface. # Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment