Rename sdcard_internal/external types.
Rename sdcard_internal/external types to fuse and vfat respectively to make it clear that they are assigned to any fuse or vfat filesystem by default (absent a context= mount option) and do not necessarily represent the SDcard. The sdcard_type attribute is still assigned to both types and can still be used in allow rules to permit access to either the internal or external SDcard. Define type aliases for the old names to preserve compatibility on policy reload and for device-specific policies that may not yet be updated. Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
parent
65edb75d53
commit
374b2a198a
5 changed files with 12 additions and 13 deletions
4
app.te
4
app.te
|
|
@ -116,8 +116,8 @@ allow appdomain radio_data_file:file { read write getattr };
|
|||
allow untrusted_app system_app_data_file:file { read write getattr };
|
||||
|
||||
# Access SDcard via the fuse mount.
|
||||
allow appdomain sdcard_internal:dir create_dir_perms;
|
||||
allow appdomain sdcard_internal:file create_file_perms;
|
||||
allow appdomain fuse:dir create_dir_perms;
|
||||
allow appdomain fuse:file create_file_perms;
|
||||
|
||||
# Allow apps to use the USB Accessory interface.
|
||||
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
|
||||
|
|
|
|||
6
file.te
6
file.te
|
|
@ -28,8 +28,10 @@ type devpts, fs_type, mlstrustedobject;
|
|||
type tmpfs, fs_type;
|
||||
type shm, fs_type;
|
||||
type mqueue, fs_type;
|
||||
type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
|
||||
type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
|
||||
type fuse, sdcard_type, fs_type, mlstrustedobject;
|
||||
type vfat, sdcard_type, fs_type, mlstrustedobject;
|
||||
typealias fuse alias sdcard_internal;
|
||||
typealias vfat alias sdcard_external;
|
||||
type debugfs, fs_type, mlstrustedobject;
|
||||
type pstorefs, fs_type;
|
||||
type functionfs, fs_type;
|
||||
|
|
|
|||
|
|
@ -25,9 +25,9 @@ genfscon cgroup / u:object_r:cgroup:s0
|
|||
# sysfs labels can be set by userspace.
|
||||
genfscon sysfs / u:object_r:sysfs:s0
|
||||
genfscon inotifyfs / u:object_r:inotify:s0
|
||||
genfscon vfat / u:object_r:sdcard_external:s0
|
||||
genfscon vfat / u:object_r:vfat:s0
|
||||
genfscon debugfs / u:object_r:debugfs:s0
|
||||
genfscon fuse / u:object_r:sdcard_internal:s0
|
||||
genfscon fuse / u:object_r:fuse:s0
|
||||
genfscon pstore / u:object_r:pstorefs:s0
|
||||
genfscon functionfs / u:object_r:functionfs:s0
|
||||
genfscon usbfs / u:object_r:usbfs:s0
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ dontaudit kernel self:security setenforce;
|
|||
allow kernel self:security setcheckreqprot;
|
||||
|
||||
# MTP sync
|
||||
allow kernel sdcard_internal:file { read write };
|
||||
allow kernel fuse:file { read write };
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
|
|
|
|||
|
|
@ -87,13 +87,10 @@ recovery_only(`
|
|||
# Use setfscreatecon() to label files for OTA updates.
|
||||
allow recovery self:process setfscreate;
|
||||
|
||||
# Allow recovery to create a fuse filesystem, and read files from
|
||||
# it. (Note that all files on fuse filesystems are labeled
|
||||
# "sdcard_internal"; the simulated SD card is the only other user of
|
||||
# fuse.)
|
||||
# Allow recovery to create a fuse filesystem, and read files from it.
|
||||
allow recovery fuse_device:chr_file rw_file_perms;
|
||||
allow recovery sdcard_internal:dir r_dir_perms;
|
||||
allow recovery sdcard_internal:file r_file_perms;
|
||||
allow recovery fuse:dir r_dir_perms;
|
||||
allow recovery fuse:file r_file_perms;
|
||||
|
||||
wakelock_use(recovery)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue