From e13fabd75a1adb47abdaa115a793d2f1ad247af7 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 17 Dec 2013 14:39:35 -0500
Subject: [PATCH] Label /data/media with its own type and allow access.

/data/media presently is left in system_data_file, which requires
anything that wants to write to it to be able to write to system_data_file.
Introduce a new type for /data/media, media_rw_data_file (to match
the media_rw UID assigned to it and distinguish it from /data/misc/media
which has media UID and media_data_file type), and allow access to it.

We allow this for all platform app domains as WRITE_MEDIA_STORAGE permission is granted
to signature|system.  We should not have to allow it to untrusted_app.

Set up type transitions in sdcardd to automatically label any directories
or files it creates with the new type.

Change-Id: I5c7e6245b854a9213099e40a41d9583755d37d42
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 file.te         | 1 +
 file_contexts   | 1 +
 platform_app.te | 3 +++
 sdcardd.te      | 4 ++++
 4 files changed, 9 insertions(+)

diff --git a/file.te b/file.te
index cb184e31d..3ca9fd7b2 100644
--- a/file.te
+++ b/file.te
@@ -60,6 +60,7 @@ type bluetooth_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type media_data_file, file_type, data_file_type;
+type media_rw_data_file, file_type, data_file_type;
 type nfc_data_file, file_type, data_file_type;
 type radio_data_file, file_type, data_file_type;
 type systemkeys_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index 9df91cd10..817c0e021 100644
--- a/file_contexts
+++ b/file_contexts
@@ -170,6 +170,7 @@
 /data/app-private/vmdl.*\.tmp	u:object_r:apk_private_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/media(/.*)?	u:object_r:media_rw_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
diff --git a/platform_app.te b/platform_app.te
index 1e89760e0..5a0167e10 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,3 +39,6 @@ allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_
 # App sdcard file accesses
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir create_dir_perms;
+allow platformappdomain media_rw_data_file:file create_file_perms;
diff --git a/sdcardd.te b/sdcardd.te
index 25d12463a..f9e72b7ac 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -3,3 +3,7 @@ type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)
 unconfined_domain(sdcardd)
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
+allow sdcardd media_rw_data_file:dir create_dir_perms;
+allow sdcardd media_rw_data_file:file create_file_perms;
-- 
GitLab