tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

isolated_app.te: Give permissions for using sdcardfs

Browse source 
Sdcardfs does not use a userspace daemon, so the secontext
is currently the caller's when accessing files. This can be
removed if sdcardfs is modified to change the secontext before
calling into the lower filesystem.

Bug: 32735101
Test: Run any app that falls under isolated_app.
Test: See bug for example
Change-Id: I9433aa0f14ff0d5a518249079e07f57e55b09bcf
This commit is contained in:
Daniel Rosenberg 2016-12-12 11:51:38 -08:00
parent 9f1e2b53fb
commit 02bf4aad9f
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
public/isolated_app.te
View file

@ -30,8 +30,10 @@ allow isolated_app self:process ptrace;
# neverallow rules below. # neverallow rules below.
# TODO: consider removing write/append. We want to limit isolated_apps # TODO: consider removing write/append. We want to limit isolated_apps
# ability to mutate files of any type. # ability to mutate files of any type.
allow isolated_app sdcard_type:file { read write append getattr lock }; # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
auditallow isolated_app sdcard_type:file { write append }; # is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
# For webviews, isolated_app processes can be forked from the webview_zygote # For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the # in addition to the zygote. Allow access to resources inherited from the