Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev
am: cf8719e
* commit 'cf8719e7bad53d6c38b2825b736c27c3f37dbf4e':
sepolicy: Add policy for sdcardfs and configfs
This commit is contained in:
commit
bc2f0e50f2
7 changed files with 16 additions and 0 deletions
2
app.te
2
app.te
|
@ -182,6 +182,8 @@ allow appdomain mnt_user_file:lnk_file r_file_perms;
|
||||||
# Read/write visible storage
|
# Read/write visible storage
|
||||||
allow appdomain fuse:dir create_dir_perms;
|
allow appdomain fuse:dir create_dir_perms;
|
||||||
allow appdomain fuse:file create_file_perms;
|
allow appdomain fuse:file create_file_perms;
|
||||||
|
allow appdomain sdcardfs:dir create_dir_perms;
|
||||||
|
allow appdomain sdcardfs:file create_file_perms;
|
||||||
|
|
||||||
# Access OBBs (vfat images) mounted by vold (b/17633509)
|
# Access OBBs (vfat images) mounted by vold (b/17633509)
|
||||||
# File write access allowed for FDs returned through Storage Access Framework
|
# File write access allowed for FDs returned through Storage Access Framework
|
||||||
|
|
2
file.te
2
file.te
|
@ -29,6 +29,7 @@ type sysfs_hwrandom, fs_type, sysfs_type;
|
||||||
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
|
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||||
type sysfs_wake_lock, fs_type, sysfs_type;
|
type sysfs_wake_lock, fs_type, sysfs_type;
|
||||||
type sysfs_mac_address, fs_type, sysfs_type;
|
type sysfs_mac_address, fs_type, sysfs_type;
|
||||||
|
type configfs, fs_type;
|
||||||
# /sys/devices/system/cpu
|
# /sys/devices/system/cpu
|
||||||
type sysfs_devices_system_cpu, fs_type, sysfs_type;
|
type sysfs_devices_system_cpu, fs_type, sysfs_type;
|
||||||
# /sys/module/lowmemorykiller
|
# /sys/module/lowmemorykiller
|
||||||
|
@ -41,6 +42,7 @@ type tmpfs, fs_type;
|
||||||
type shm, fs_type;
|
type shm, fs_type;
|
||||||
type mqueue, fs_type;
|
type mqueue, fs_type;
|
||||||
type fuse, sdcard_type, fs_type, mlstrustedobject;
|
type fuse, sdcard_type, fs_type, mlstrustedobject;
|
||||||
|
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
|
||||||
type vfat, sdcard_type, fs_type, mlstrustedobject;
|
type vfat, sdcard_type, fs_type, mlstrustedobject;
|
||||||
type debugfs, fs_type;
|
type debugfs, fs_type;
|
||||||
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
|
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
|
||||||
|
|
|
@ -35,6 +35,8 @@ genfscon inotifyfs / u:object_r:inotify:s0
|
||||||
genfscon vfat / u:object_r:vfat:s0
|
genfscon vfat / u:object_r:vfat:s0
|
||||||
genfscon debugfs / u:object_r:debugfs:s0
|
genfscon debugfs / u:object_r:debugfs:s0
|
||||||
genfscon fuse / u:object_r:fuse:s0
|
genfscon fuse / u:object_r:fuse:s0
|
||||||
|
genfscon configfs / u:object_r:configfs:s0
|
||||||
|
genfscon sdcardfs / u:object_r:sdcardfs:s0
|
||||||
genfscon pstore / u:object_r:pstorefs:s0
|
genfscon pstore / u:object_r:pstorefs:s0
|
||||||
genfscon functionfs / u:object_r:functionfs:s0
|
genfscon functionfs / u:object_r:functionfs:s0
|
||||||
genfscon usbfs / u:object_r:usbfs:s0
|
genfscon usbfs / u:object_r:usbfs:s0
|
||||||
|
|
4
init.te
4
init.te
|
@ -61,6 +61,10 @@ allow init tmpfs:dir mounton;
|
||||||
allow init cgroup:dir create_dir_perms;
|
allow init cgroup:dir create_dir_perms;
|
||||||
allow init cpuctl_device:dir { create mounton };
|
allow init cpuctl_device:dir { create mounton };
|
||||||
|
|
||||||
|
# /config
|
||||||
|
allow init configfs:dir mounton;
|
||||||
|
allow init configfs:dir create_dir_perms;
|
||||||
|
|
||||||
# Use tmpfs as /data, used for booting when /data is encrypted
|
# Use tmpfs as /data, used for booting when /data is encrypted
|
||||||
allow init tmpfs:dir relabelfrom;
|
allow init tmpfs:dir relabelfrom;
|
||||||
|
|
||||||
|
|
|
@ -478,6 +478,10 @@ userdebug_or_eng(`
|
||||||
allow system_server vold:fd use;
|
allow system_server vold:fd use;
|
||||||
allow system_server fuse_device:chr_file { read write ioctl getattr };
|
allow system_server fuse_device:chr_file { read write ioctl getattr };
|
||||||
|
|
||||||
|
# For configuring sdcardfs
|
||||||
|
allow system_server configfs:dir { create_dir_perms };
|
||||||
|
allow system_server configfs:file { getattr open unlink write };
|
||||||
|
|
||||||
# Connect to adbd and use a socket transferred from it.
|
# Connect to adbd and use a socket transferred from it.
|
||||||
# Used for e.g. jdwp.
|
# Used for e.g. jdwp.
|
||||||
allow system_server adbd:unix_stream_socket connectto;
|
allow system_server adbd:unix_stream_socket connectto;
|
||||||
|
|
|
@ -168,6 +168,7 @@ neverallow untrusted_app property_type:property_service set;
|
||||||
neverallow untrusted_app {
|
neverallow untrusted_app {
|
||||||
fs_type
|
fs_type
|
||||||
-fuse # sdcard
|
-fuse # sdcard
|
||||||
|
-sdcardfs # sdcard
|
||||||
file_type
|
file_type
|
||||||
-app_data_file # The apps sandbox itself
|
-app_data_file # The apps sandbox itself
|
||||||
-media_rw_data_file # Internal storage. Known that apps can
|
-media_rw_data_file # Internal storage. Known that apps can
|
||||||
|
|
|
@ -52,6 +52,7 @@ allow zygote proc_cpuinfo:file mounton;
|
||||||
allow zygote rootfs:dir mounton;
|
allow zygote rootfs:dir mounton;
|
||||||
allow zygote tmpfs:filesystem { mount unmount };
|
allow zygote tmpfs:filesystem { mount unmount };
|
||||||
allow zygote fuse:filesystem { unmount };
|
allow zygote fuse:filesystem { unmount };
|
||||||
|
allow zygote sdcardfs:filesystem { unmount };
|
||||||
|
|
||||||
# Allowed to create user-specific storage source if started before vold
|
# Allowed to create user-specific storage source if started before vold
|
||||||
allow zygote mnt_user_file:dir create_dir_perms;
|
allow zygote mnt_user_file:dir create_dir_perms;
|
||||||
|
|
Loading…
Reference in a new issue