Merge "Allow appdomain sepolicy search access to /mnt/media_rw"

private/app.te

@@ -34,6 +34,9 @@ dontaudit appdomain system_data_file:dir write;
 # Apps should not be reading vendor-defined properties.
 dontaudit appdomain vendor_default_prop:file read;
 
+# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
+allow appdomain mnt_media_rw_file:dir search;
+
 neverallow appdomain system_server:udp_socket {
         accept append bind create ioctl listen lock name_bind
         relabelfrom relabelto setattr shutdown };

private/system_app.te

@@ -21,9 +21,6 @@ allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
 allow system_app misc_user_data_file:dir create_dir_perms;
 allow system_app misc_user_data_file:file create_file_perms;
 
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
 # Access to apex files stored on /data (b/136063500)
 # Needed so that Settings can access NOTICE files inside apex
 # files located in the assets/ directory.

private/untrusted_app_all.te

@@ -84,10 +84,6 @@ allow untrusted_app_all system_app_data_file:file { read write getattr };
 allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
 allow untrusted_app_all media_rw_data_file:file create_file_perms;
 
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app_all mnt_media_rw_file:dir search;
-
 # allow cts to query all services
 allow untrusted_app_all servicemanager:service_manager list;