Merge "Add fusefs_type for FUSE filesystems"
This commit is contained in:
Thiébaud Weksteen
Gerrit Code Review
commit
53ef2e85e2
24 changed files with 54 additions and 43 deletions
|
|
@ -77,8 +77,8 @@ allow adbd profman_dump_data_file:file r_file_perms;
|
||||||
allow adbd tmpfs:dir search;
|
allow adbd tmpfs:dir search;
|
||||||
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
|
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
|
||||||
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
|
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
|
||||||
allow adbd sdcard_type:dir create_dir_perms;
|
allow adbd { sdcard_type fuse }:dir create_dir_perms;
|
||||||
allow adbd sdcard_type:file create_file_perms;
|
allow adbd { sdcard_type fuse }:file create_file_perms;
|
||||||
|
|
||||||
# adb pull /data/anr/traces.txt
|
# adb pull /data/anr/traces.txt
|
||||||
allow adbd anr_data_file:dir r_dir_perms;
|
allow adbd anr_data_file:dir r_dir_perms;
|
||||||
|
|
|
||||||
|
|
@ -131,6 +131,7 @@ neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_fil
|
||||||
neverallow { all_untrusted_apps -mediaprovider } {
|
neverallow { all_untrusted_apps -mediaprovider } {
|
||||||
fs_type
|
fs_type
|
||||||
-sdcard_type
|
-sdcard_type
|
||||||
|
-fuse
|
||||||
file_type
|
file_type
|
||||||
-app_data_file # The apps sandbox itself
|
-app_data_file # The apps sandbox itself
|
||||||
-privapp_data_file
|
-privapp_data_file
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ init_daemon_domain(audioserver)
|
||||||
tmpfs_domain(audioserver)
|
tmpfs_domain(audioserver)
|
||||||
|
|
||||||
r_dir_file(audioserver, sdcard_type)
|
r_dir_file(audioserver, sdcard_type)
|
||||||
|
r_dir_file(audioserver, fuse)
|
||||||
|
|
||||||
binder_use(audioserver)
|
binder_use(audioserver)
|
||||||
binder_call(audioserver, binderservicedomain)
|
binder_call(audioserver, binderservicedomain)
|
||||||
|
|
|
||||||
|
|
@ -354,8 +354,8 @@ neverallow ~{
|
||||||
} self:global_capability_class_set dac_read_search;
|
} self:global_capability_class_set dac_read_search;
|
||||||
|
|
||||||
# Limit what domains can mount filesystems or change their mount flags.
|
# Limit what domains can mount filesystems or change their mount flags.
|
||||||
# sdcard_type / vfat is exempt as a larger set of domains need
|
# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
|
||||||
# this capability, including device-specific domains.
|
# set of domains need this capability, including device-specific domains.
|
||||||
neverallow {
|
neverallow {
|
||||||
domain
|
domain
|
||||||
-apexd
|
-apexd
|
||||||
|
|
@ -369,6 +369,7 @@ neverallow {
|
||||||
-zygote
|
-zygote
|
||||||
} { fs_type
|
} { fs_type
|
||||||
-sdcard_type
|
-sdcard_type
|
||||||
|
-fusefs_type
|
||||||
}:filesystem { mount remount relabelfrom relabelto };
|
}:filesystem { mount remount relabelfrom relabelto };
|
||||||
|
|
||||||
enforce_debugfs_restriction(`
|
enforce_debugfs_restriction(`
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ net_domain(ephemeral_app)
|
||||||
app_domain(ephemeral_app)
|
app_domain(ephemeral_app)
|
||||||
|
|
||||||
# Allow ephemeral apps to read/write files in visible storage if provided fds
|
# Allow ephemeral apps to read/write files in visible storage if provided fds
|
||||||
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
|
allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
|
||||||
|
|
||||||
# Some apps ship with shared libraries and binaries that they write out
|
# Some apps ship with shared libraries and binaries that they write out
|
||||||
# to their sandbox directory and then execute.
|
# to their sandbox directory and then execute.
|
||||||
|
|
@ -87,8 +87,8 @@ neverallow ephemeral_app sysfs:file *;
|
||||||
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
|
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
|
||||||
|
|
||||||
# Directly access external storage
|
# Directly access external storage
|
||||||
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
|
neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
|
||||||
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
|
neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
|
||||||
|
|
||||||
# Avoid reads to proc_net, it contains too much device wide information about
|
# Avoid reads to proc_net, it contains too much device wide information about
|
||||||
# ongoing connections.
|
# ongoing connections.
|
||||||
|
|
|
||||||
|
|
@ -84,7 +84,7 @@ userdebug_or_eng(`
|
||||||
# gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
|
# gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
|
||||||
allow gsid { shell su }:fifo_file r_file_perms;
|
allow gsid { shell su }:fifo_file r_file_perms;
|
||||||
# Allow installing images from /storage/emulated/...
|
# Allow installing images from /storage/emulated/...
|
||||||
allow gsid sdcard_type:file r_file_perms;
|
allow gsid { sdcard_type fuse }:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
neverallow {
|
neverallow {
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@ allow isolated_app self:process ptrace;
|
||||||
# neverallow rules below.
|
# neverallow rules below.
|
||||||
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
|
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
|
||||||
# is modified to change the secontext when accessing the lower filesystem.
|
# is modified to change the secontext when accessing the lower filesystem.
|
||||||
allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
|
allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
|
||||||
|
|
||||||
# For webviews, isolated_app processes can be forked from the webview_zygote
|
# For webviews, isolated_app processes can be forked from the webview_zygote
|
||||||
# in addition to the zygote. Allow access to resources inherited from the
|
# in addition to the zygote. Allow access to resources inherited from the
|
||||||
|
|
@ -110,10 +110,10 @@ neverallow isolated_app cache_file:file ~{ read getattr };
|
||||||
|
|
||||||
# Do not allow isolated_app to access external storage, except for files passed
|
# Do not allow isolated_app to access external storage, except for files passed
|
||||||
# via file descriptors (b/32896414).
|
# via file descriptors (b/32896414).
|
||||||
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
|
neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
|
||||||
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
|
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
|
||||||
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
|
neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
|
||||||
neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
|
neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
|
||||||
|
|
||||||
# Do not allow USB access
|
# Do not allow USB access
|
||||||
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
|
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
|
||||||
|
|
|
||||||
|
|
@ -142,7 +142,7 @@ dontaudit surfaceflinger vendor_default_prop:file read;
|
||||||
|
|
||||||
# Do not allow accessing SDcard files as unsafe ejection could
|
# Do not allow accessing SDcard files as unsafe ejection could
|
||||||
# cause the kernel to kill the process.
|
# cause the kernel to kill the process.
|
||||||
neverallow surfaceflinger sdcard_type:file rw_file_perms;
|
neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms;
|
||||||
|
|
||||||
# b/68864350
|
# b/68864350
|
||||||
dontaudit surfaceflinger unlabeled:dir search;
|
dontaudit surfaceflinger unlabeled:dir search;
|
||||||
|
|
|
||||||
|
|
@ -965,7 +965,7 @@ allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
|
||||||
|
|
||||||
# Allow statfs() on storage devices, which happens fast enough that
|
# Allow statfs() on storage devices, which happens fast enough that
|
||||||
# we shouldn't be killed during unsafe removal
|
# we shouldn't be killed during unsafe removal
|
||||||
allow system_server sdcard_type:dir { getattr search };
|
allow system_server { sdcard_type fuse }:dir { getattr search };
|
||||||
|
|
||||||
# Traverse into expanded storage
|
# Traverse into expanded storage
|
||||||
allow system_server mnt_expand_file:dir r_dir_perms;
|
allow system_server mnt_expand_file:dir r_dir_perms;
|
||||||
|
|
@ -1159,8 +1159,8 @@ userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
|
||||||
|
|
||||||
# Do not allow opening files from external storage as unsafe ejection
|
# Do not allow opening files from external storage as unsafe ejection
|
||||||
# could cause the kernel to kill the system_server.
|
# could cause the kernel to kill the system_server.
|
||||||
neverallow system_server sdcard_type:dir { open read write };
|
neverallow system_server { sdcard_type fuse }:dir { open read write };
|
||||||
neverallow system_server sdcard_type:file rw_file_perms;
|
neverallow system_server { sdcard_type fuse }:file rw_file_perms;
|
||||||
|
|
||||||
# system server should never be operating on zygote spawned app data
|
# system server should never be operating on zygote spawned app data
|
||||||
# files directly. Rather, they should always be passed via a
|
# files directly. Rather, they should always be passed via a
|
||||||
|
|
|
||||||
|
|
@ -152,8 +152,8 @@ allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
|
||||||
allow zygote storage_file:dir { search mounton };
|
allow zygote storage_file:dir { search mounton };
|
||||||
|
|
||||||
# Allow mounting and creating files, dirs on sdcardfs.
|
# Allow mounting and creating files, dirs on sdcardfs.
|
||||||
allow zygote { sdcard_type }:dir { create_dir_perms mounton };
|
allow zygote { sdcard_type fuse }:dir { create_dir_perms mounton };
|
||||||
allow zygote { sdcard_type }:file { create_file_perms };
|
allow zygote { sdcard_type fuse }:file { create_file_perms };
|
||||||
|
|
||||||
# Handle --invoke-with command when launching Zygote with a wrapper command.
|
# Handle --invoke-with command when launching Zygote with a wrapper command.
|
||||||
allow zygote zygote_exec:file rx_file_perms;
|
allow zygote zygote_exec:file rx_file_perms;
|
||||||
|
|
|
||||||
|
|
@ -261,8 +261,8 @@ allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
|
||||||
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
|
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
|
||||||
|
|
||||||
# Read/write visible storage
|
# Read/write visible storage
|
||||||
allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
|
allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
|
||||||
allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
|
allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
|
||||||
# This should be removed if sdcardfs is modified to alter the secontext for its
|
# This should be removed if sdcardfs is modified to alter the secontext for its
|
||||||
# accesses to the underlying FS.
|
# accesses to the underlying FS.
|
||||||
allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
|
allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,12 @@ attribute fs_type;
|
||||||
# All types used for context= mounts.
|
# All types used for context= mounts.
|
||||||
attribute contextmount_type;
|
attribute contextmount_type;
|
||||||
|
|
||||||
|
# All types referencing a FUSE filesystem.
|
||||||
|
# When mounting a new FUSE filesystem, the fscontext= option should be used to
|
||||||
|
# set a domain-specific type with this attribute. See app_fusefs for an
|
||||||
|
# example.
|
||||||
|
attribute fusefs_type;
|
||||||
|
|
||||||
# All types used for files that can exist on a labeled fs.
|
# All types used for files that can exist on a labeled fs.
|
||||||
# Do not use for pseudo file types.
|
# Do not use for pseudo file types.
|
||||||
# On change, update CHECK_FC_ASSERT_ATTRS
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
||||||
|
|
|
||||||
|
|
@ -18,11 +18,11 @@ allow drmserver system_server:fd use;
|
||||||
# Perform Binder IPC to mediaserver
|
# Perform Binder IPC to mediaserver
|
||||||
binder_call(drmserver, mediaserver)
|
binder_call(drmserver, mediaserver)
|
||||||
|
|
||||||
allow drmserver sdcard_type:dir search;
|
allow drmserver { sdcard_type fuse }:dir search;
|
||||||
allow drmserver drm_data_file:dir create_dir_perms;
|
allow drmserver drm_data_file:dir create_dir_perms;
|
||||||
allow drmserver drm_data_file:file create_file_perms;
|
allow drmserver drm_data_file:file create_file_perms;
|
||||||
allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
|
allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
|
||||||
allow drmserver sdcard_type:file { read write getattr map };
|
allow drmserver { sdcard_type fuse }:file { read write getattr map };
|
||||||
r_dir_file(drmserver, efs_file)
|
r_dir_file(drmserver, efs_file)
|
||||||
|
|
||||||
type drmserver_socket, file_type;
|
type drmserver_socket, file_type;
|
||||||
|
|
|
||||||
|
|
@ -138,7 +138,7 @@ type devpts, fs_type, mlstrustedobject;
|
||||||
type tmpfs, fs_type;
|
type tmpfs, fs_type;
|
||||||
type shm, fs_type;
|
type shm, fs_type;
|
||||||
type mqueue, fs_type;
|
type mqueue, fs_type;
|
||||||
type fuse, sdcard_type, fs_type, mlstrustedobject;
|
type fuse, fusefs_type, fs_type, mlstrustedobject;
|
||||||
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
|
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
|
||||||
type vfat, sdcard_type, fs_type, mlstrustedobject;
|
type vfat, sdcard_type, fs_type, mlstrustedobject;
|
||||||
type exfat, sdcard_type, fs_type, mlstrustedobject;
|
type exfat, sdcard_type, fs_type, mlstrustedobject;
|
||||||
|
|
@ -160,7 +160,7 @@ type functionfs, fs_type, mlstrustedobject;
|
||||||
type oemfs, fs_type, contextmount_type;
|
type oemfs, fs_type, contextmount_type;
|
||||||
type usbfs, fs_type;
|
type usbfs, fs_type;
|
||||||
type binfmt_miscfs, fs_type;
|
type binfmt_miscfs, fs_type;
|
||||||
type app_fusefs, fs_type, contextmount_type;
|
type app_fusefs, fs_type, fusefs_type, contextmount_type;
|
||||||
|
|
||||||
# File types
|
# File types
|
||||||
type unlabeled, file_type;
|
type unlabeled, file_type;
|
||||||
|
|
|
||||||
|
|
@ -23,5 +23,5 @@ allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
|
||||||
###
|
###
|
||||||
|
|
||||||
# hal_wifi_hostapd should not trust any data from sdcards
|
# hal_wifi_hostapd should not trust any data from sdcards
|
||||||
neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
|
neverallow hal_wifi_hostapd_server { sdcard_type fuse }:dir ~getattr;
|
||||||
neverallow hal_wifi_hostapd_server sdcard_type:file *;
|
neverallow hal_wifi_hostapd_server { sdcard_type fuse }:file *;
|
||||||
|
|
|
||||||
|
|
@ -34,5 +34,5 @@ allow hal_wifi_supplicant wifi_key:keystore2_key {
|
||||||
###
|
###
|
||||||
|
|
||||||
# wpa_supplicant should not trust any data from sdcards
|
# wpa_supplicant should not trust any data from sdcards
|
||||||
neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
|
neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr;
|
||||||
neverallow hal_wifi_supplicant_server sdcard_type:file *;
|
neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *;
|
||||||
|
|
|
||||||
|
|
@ -313,11 +313,12 @@ allow init {
|
||||||
-keychord_device
|
-keychord_device
|
||||||
-proc_type
|
-proc_type
|
||||||
-sdcard_type
|
-sdcard_type
|
||||||
|
-fusefs_type
|
||||||
-sysfs_type
|
-sysfs_type
|
||||||
-rootfs
|
-rootfs
|
||||||
enforce_debugfs_restriction(`-debugfs_type')
|
enforce_debugfs_restriction(`-debugfs_type')
|
||||||
}:file { open read setattr };
|
}:file { open read setattr };
|
||||||
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
|
allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search };
|
||||||
|
|
||||||
allow init {
|
allow init {
|
||||||
binder_device
|
binder_device
|
||||||
|
|
|
||||||
|
|
@ -71,8 +71,8 @@ allow installd media_rw_data_file:dir relabelto;
|
||||||
# Delete /data/media files through sdcardfs, instead of going behind its back
|
# Delete /data/media files through sdcardfs, instead of going behind its back
|
||||||
allow installd tmpfs:dir r_dir_perms;
|
allow installd tmpfs:dir r_dir_perms;
|
||||||
allow installd storage_file:dir search;
|
allow installd storage_file:dir search;
|
||||||
allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
|
allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
|
||||||
allow installd sdcard_type:file { getattr unlink };
|
allow installd { sdcard_type fuse }:file { getattr unlink };
|
||||||
|
|
||||||
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
|
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
|
||||||
allow installd mirror_data_file:dir { create_dir_perms mounton };
|
allow installd mirror_data_file:dir { create_dir_perms mounton };
|
||||||
|
|
|
||||||
|
|
@ -56,7 +56,7 @@ allow kernel selinuxfs:file write;
|
||||||
allow kernel self:security setcheckreqprot;
|
allow kernel self:security setcheckreqprot;
|
||||||
|
|
||||||
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
|
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
|
||||||
allow kernel sdcard_type:file { read write };
|
allow kernel { sdcard_type fuse }:file { read write };
|
||||||
|
|
||||||
# f_mtp driver accesses files from kernel context.
|
# f_mtp driver accesses files from kernel context.
|
||||||
allow kernel mediaprovider:fd use;
|
allow kernel mediaprovider:fd use;
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,7 @@ allow mediaextractor proc_meminfo:file r_file_perms;
|
||||||
crash_dump_fallback(mediaextractor)
|
crash_dump_fallback(mediaextractor)
|
||||||
|
|
||||||
# allow mediaextractor read permissions for file sources
|
# allow mediaextractor read permissions for file sources
|
||||||
allow mediaextractor sdcard_type:file { getattr read };
|
allow mediaextractor { sdcard_type fuse }:file { getattr read };
|
||||||
allow mediaextractor media_rw_data_file:file { getattr read };
|
allow mediaextractor media_rw_data_file:file { getattr read };
|
||||||
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
|
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ typeattribute mediaserver mlstrustedsubject;
|
||||||
net_domain(mediaserver)
|
net_domain(mediaserver)
|
||||||
|
|
||||||
r_dir_file(mediaserver, sdcard_type)
|
r_dir_file(mediaserver, sdcard_type)
|
||||||
|
r_dir_file(mediaserver, fuse)
|
||||||
r_dir_file(mediaserver, cgroup)
|
r_dir_file(mediaserver, cgroup)
|
||||||
r_dir_file(mediaserver, cgroup_v2)
|
r_dir_file(mediaserver, cgroup_v2)
|
||||||
|
|
||||||
|
|
@ -30,7 +31,7 @@ binder_service(mediaserver)
|
||||||
allow mediaserver media_data_file:dir create_dir_perms;
|
allow mediaserver media_data_file:dir create_dir_perms;
|
||||||
allow mediaserver media_data_file:file create_file_perms;
|
allow mediaserver media_data_file:file create_file_perms;
|
||||||
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
|
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
|
||||||
allow mediaserver sdcard_type:file write;
|
allow mediaserver { sdcard_type fuse }:file write;
|
||||||
allow mediaserver gpu_device:chr_file rw_file_perms;
|
allow mediaserver gpu_device:chr_file rw_file_perms;
|
||||||
allow mediaserver video_device:dir r_dir_perms;
|
allow mediaserver video_device:dir r_dir_perms;
|
||||||
allow mediaserver video_device:chr_file rw_file_perms;
|
allow mediaserver video_device:chr_file rw_file_perms;
|
||||||
|
|
|
||||||
|
|
@ -10,11 +10,11 @@ allow sdcardd tmpfs:dir r_dir_perms;
|
||||||
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
|
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
|
||||||
allow sdcardd storage_file:dir search;
|
allow sdcardd storage_file:dir search;
|
||||||
allow sdcardd storage_stub_file:dir { search mounton };
|
allow sdcardd storage_stub_file:dir { search mounton };
|
||||||
allow sdcardd sdcard_type:filesystem { mount unmount };
|
allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
|
||||||
allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
|
allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
|
||||||
|
|
||||||
allow sdcardd sdcard_type:dir create_dir_perms;
|
allow sdcardd { sdcard_type fuse }:dir create_dir_perms;
|
||||||
allow sdcardd sdcard_type:file create_file_perms;
|
allow sdcardd { sdcard_type fuse }:file create_file_perms;
|
||||||
|
|
||||||
allow sdcardd media_rw_data_file:dir create_dir_perms;
|
allow sdcardd media_rw_data_file:dir create_dir_perms;
|
||||||
allow sdcardd media_rw_data_file:file create_file_perms;
|
allow sdcardd media_rw_data_file:file create_file_perms;
|
||||||
|
|
|
||||||
|
|
@ -140,6 +140,7 @@ allow vendor_init {
|
||||||
-contextmount_type
|
-contextmount_type
|
||||||
-keychord_device
|
-keychord_device
|
||||||
-sdcard_type
|
-sdcard_type
|
||||||
|
-fusefs_type
|
||||||
-rootfs
|
-rootfs
|
||||||
-proc_uid_time_in_state
|
-proc_uid_time_in_state
|
||||||
-proc_uid_concurrent_active_time
|
-proc_uid_concurrent_active_time
|
||||||
|
|
@ -153,6 +154,7 @@ allow vendor_init {
|
||||||
fs_type
|
fs_type
|
||||||
-contextmount_type
|
-contextmount_type
|
||||||
-sdcard_type
|
-sdcard_type
|
||||||
|
-fusefs_type
|
||||||
-rootfs
|
-rootfs
|
||||||
-proc_uid_time_in_state
|
-proc_uid_time_in_state
|
||||||
-proc_uid_concurrent_active_time
|
-proc_uid_concurrent_active_time
|
||||||
|
|
|
||||||
|
|
@ -86,14 +86,12 @@ allow vold block_device:dir create_dir_perms;
|
||||||
allow vold device:dir write;
|
allow vold device:dir write;
|
||||||
allow vold devpts:chr_file rw_file_perms;
|
allow vold devpts:chr_file rw_file_perms;
|
||||||
allow vold rootfs:dir mounton;
|
allow vold rootfs:dir mounton;
|
||||||
allow vold sdcard_type:dir mounton; # TODO: deprecated in M
|
allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
|
||||||
allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
|
allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
|
||||||
allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
|
|
||||||
allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
|
|
||||||
|
|
||||||
# Manage locations where storage is mounted
|
# Manage locations where storage is mounted
|
||||||
allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
|
allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
|
||||||
allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
|
allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
|
||||||
|
|
||||||
# Access to storage that backs emulated FUSE daemons for migration optimization
|
# Access to storage that backs emulated FUSE daemons for migration optimization
|
||||||
allow vold media_rw_data_file:dir create_dir_perms;
|
allow vold media_rw_data_file:dir create_dir_perms;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue