allow kernel to use vold file descriptors

Vold opens ASEC containsers on the sdcard, or OBB files from app's home directories, both of which are supplied by vold. We need to allow kernel threads to access those file descriptors. Addresses the following denial: loop0 : type=1400 audit(0.0:28): avc: denied { use } for path="/mnt/secure/asec/smdl1159865753.tmp.asec" dev="mmcblk1" ino=19 scontext=u:r:kernel:s0 tcontext=u:r:vold:s0 tclass=fd permissive=0 Bug: 19516891 Change-Id: I5a3607b48f5e0e504e4b3fcaec19152c3784f49d
2015-02-25 15:14:09 -08:00 · 2015-02-25 15:14:09 -08:00 · 9fe810b739
commit 9fe810b739
parent ab4be88ecb
1 changed files with 1 additions and 0 deletions
--- a/kernel.te
+++ b/kernel.te
@ -45,6 +45,7 @@ allow kernel self:security setcheckreqprot;

 # MTP sync (b/15835289)
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel vold:fd use;
 allow kernel sdcard_type:file { read write };

 # Allow the kernel to read OBB files from app directories. (b/17428116)