From e3151bd1e87eeb19ab911914d156770a9ecfc385 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 12 Apr 2016 20:43:06 -0700
Subject: [PATCH] Restore /mnt/sdcard symlink read access

Allow adbd and app domains to read the symlink at /mnt/sdcard.
This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on.

Read access for this symlink was removed from adbd and the shell user in
8ca19368dae676ba8769c15ead2469a9f44e562e, and from untrusted_app in
cbf7ba18db3c607834d3f8d0745dae99f3e2a4ec.

Addresses the following denials:

  avc: denied { read } for name="sdcard" dev="tmpfs" ino=9486 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0
  avc: denied { read } for pid=4161 comm=73657276696365203137 name="sdcard" dev="tmpfs" ino=5114 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 25801877
Bug: 28108983
Change-Id: Ia31cd8b53c9c3a5b7d11be42c2fde170f96affb0
---
 adbd.te | 3 ++-
 app.te  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/adbd.te b/adbd.te
index cd5df2a80..b44cf0dd7 100644
--- a/adbd.te
+++ b/adbd.te
@@ -36,7 +36,8 @@ allow adbd shell_data_file:file create_file_perms;
 
 # adb push/pull sdcard.
 allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms;
+allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
+allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
 allow adbd sdcard_type:dir create_dir_perms;
 allow adbd sdcard_type:file create_file_perms;
 
diff --git a/app.te b/app.te
index c9c5ca201..c4ebdf65f 100644
--- a/app.te
+++ b/app.te
@@ -33,8 +33,9 @@ allow appdomain cgroup:file rw_file_perms;
 allow appdomain dalvikcache_data_file:dir { search getattr };
 allow appdomain dalvikcache_data_file:file r_file_perms;
 
-# Read the /sdcard symlink
+# Read the /sdcard and /mnt/sdcard symlinks
 allow appdomain rootfs:lnk_file r_file_perms;
+allow appdomain tmpfs:lnk_file r_file_perms;
 
 # Search /storage/emulated tmpfs mount.
 allow appdomain tmpfs:dir r_dir_perms;
-- 
GitLab