From d25d57a3cd24241793ba92f5b2e0915ffb552e68 Mon Sep 17 00:00:00 2001
From: Daniel Rosenberg <drosen@google.com>
Date: Thu, 31 Mar 2016 13:53:42 -0700
Subject: [PATCH] Allow access to media_rw_data_file for now.

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: adbd, kernel, mediaserver, and shell

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27915475
Bug: 27937873

Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724
---
 adbd.te        | 2 ++
 kernel.te      | 6 ++++++
 mediaserver.te | 6 ++++++
 shell.te       | 2 ++
 4 files changed, 16 insertions(+)

diff --git a/adbd.te b/adbd.te
index 27ffdd845..cd5df2a80 100644
--- a/adbd.te
+++ b/adbd.te
@@ -102,5 +102,7 @@ allow adbd mnt_user_file:dir r_dir_perms;
 allow adbd mnt_user_file:lnk_file r_file_perms;
 
 # Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
 allow adbd media_rw_data_file:dir create_dir_perms;
 allow adbd media_rw_data_file:file create_file_perms;
diff --git a/kernel.te b/kernel.te
index 20b0c0a30..1ca5673f0 100644
--- a/kernel.te
+++ b/kernel.te
@@ -65,6 +65,12 @@ allow kernel asec_image_file:file read;
 
 domain_auto_trans(kernel, init_exec, init)
 
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow kernel media_rw_data_file:dir create_dir_perms;
+allow kernel media_rw_data_file:file create_file_perms;
+
 ###
 ### neverallow rules
 ###
diff --git a/mediaserver.te b/mediaserver.te
index 86164033a..c6ec3ff2e 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -124,6 +124,12 @@ allow mediaserver drmserver:drmservice {
 allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow mediaserver media_rw_data_file:dir create_dir_perms;
+allow mediaserver media_rw_data_file:file create_file_perms;
+
 ###
 ### neverallow rules
 ###
diff --git a/shell.te b/shell.te
index fc5c2768b..a304673a0 100644
--- a/shell.te
+++ b/shell.te
@@ -123,6 +123,8 @@ allow shell sysfs:dir r_dir_perms;
 allow shell ion_device:chr_file rw_file_perms;
 
 # Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
 allow shell media_rw_data_file:dir create_dir_perms;
 allow shell media_rw_data_file:file create_file_perms;
 
-- 
GitLab