Skip to content
Snippets Groups Projects
Commit d25d57a3 authored by Daniel Rosenberg's avatar Daniel Rosenberg
Browse files

Allow access to media_rw_data_file for now. 

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: adbd, kernel, mediaserver, and shell

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27915475
Bug: 27937873

Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724
parent bb90999e
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
adbd.te
+ 2
0
View file @ d25d57a3
...@@ -102,5 +102,7 @@ allow adbd mnt_user_file:dir r_dir_perms; ...@@ -102,5 +102,7 @@ allow adbd mnt_user_file:dir r_dir_perms;
allow adbd mnt_user_file:lnk_file r_file_perms; allow adbd mnt_user_file:lnk_file r_file_perms;
# Access to /data/media. # Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow adbd media_rw_data_file:dir create_dir_perms; allow adbd media_rw_data_file:dir create_dir_perms;
allow adbd media_rw_data_file:file create_file_perms; allow adbd media_rw_data_file:file create_file_perms;
kernel.te
+ 6
0
View file @ d25d57a3
...@@ -65,6 +65,12 @@ allow kernel asec_image_file:file read; ...@@ -65,6 +65,12 @@ allow kernel asec_image_file:file read;
domain_auto_trans(kernel, init_exec, init) domain_auto_trans(kernel, init_exec, init)
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow kernel media_rw_data_file:dir create_dir_perms;
allow kernel media_rw_data_file:file create_file_perms;
### ###
### neverallow rules ### neverallow rules
### ###
......
mediaserver.te
+ 6
0
View file @ d25d57a3
...@@ -124,6 +124,12 @@ allow mediaserver drmserver:drmservice { ...@@ -124,6 +124,12 @@ allow mediaserver drmserver:drmservice {
allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow mediaserver media_rw_data_file:dir create_dir_perms;
allow mediaserver media_rw_data_file:file create_file_perms;
### ###
### neverallow rules ### neverallow rules
### ###
......
shell.te
+ 2
0
View file @ d25d57a3
...@@ -123,6 +123,8 @@ allow shell sysfs:dir r_dir_perms; ...@@ -123,6 +123,8 @@ allow shell sysfs:dir r_dir_perms;
allow shell ion_device:chr_file rw_file_perms; allow shell ion_device:chr_file rw_file_perms;
# Access to /data/media. # Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow shell media_rw_data_file:dir create_dir_perms; allow shell media_rw_data_file:dir create_dir_perms;
allow shell media_rw_data_file:file create_file_perms; allow shell media_rw_data_file:file create_file_perms;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment