Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev

am: cf8719e

* commit 'cf8719e7bad53d6c38b2825b736c27c3f37dbf4e':
  sepolicy: Add policy for sdcardfs and configfs
This commit is contained in:
Daniel Rosenberg 2016-03-22 00:51:44 +00:00 committed by android-build-merger
commit bc2f0e50f2
7 changed files with 16 additions and 0 deletions

2
app.te
View file

@ -182,6 +182,8 @@ allow appdomain mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage # Read/write visible storage
allow appdomain fuse:dir create_dir_perms; allow appdomain fuse:dir create_dir_perms;
allow appdomain fuse:file create_file_perms; allow appdomain fuse:file create_file_perms;
allow appdomain sdcardfs:dir create_dir_perms;
allow appdomain sdcardfs:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509) # Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework # File write access allowed for FDs returned through Storage Access Framework

View file

@ -29,6 +29,7 @@ type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type; type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type; type sysfs_mac_address, fs_type, sysfs_type;
type configfs, fs_type;
# /sys/devices/system/cpu # /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type; type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller # /sys/module/lowmemorykiller
@ -41,6 +42,7 @@ type tmpfs, fs_type;
type shm, fs_type; type shm, fs_type;
type mqueue, fs_type; type mqueue, fs_type;
type fuse, sdcard_type, fs_type, mlstrustedobject; type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject; type vfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type; type debugfs, fs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;

View file

@ -35,6 +35,8 @@ genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0 genfscon vfat / u:object_r:vfat:s0
genfscon debugfs / u:object_r:debugfs:s0 genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0 genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
genfscon pstore / u:object_r:pstorefs:s0 genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0 genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0 genfscon usbfs / u:object_r:usbfs:s0

View file

@ -61,6 +61,10 @@ allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms; allow init cgroup:dir create_dir_perms;
allow init cpuctl_device:dir { create mounton }; allow init cpuctl_device:dir { create mounton };
# /config
allow init configfs:dir mounton;
allow init configfs:dir create_dir_perms;
# Use tmpfs as /data, used for booting when /data is encrypted # Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom; allow init tmpfs:dir relabelfrom;

View file

@ -478,6 +478,10 @@ userdebug_or_eng(`
allow system_server vold:fd use; allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr }; allow system_server fuse_device:chr_file { read write ioctl getattr };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
allow system_server configfs:file { getattr open unlink write };
# Connect to adbd and use a socket transferred from it. # Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp. # Used for e.g. jdwp.
allow system_server adbd:unix_stream_socket connectto; allow system_server adbd:unix_stream_socket connectto;

View file

@ -168,6 +168,7 @@ neverallow untrusted_app property_type:property_service set;
neverallow untrusted_app { neverallow untrusted_app {
fs_type fs_type
-fuse # sdcard -fuse # sdcard
-sdcardfs # sdcard
file_type file_type
-app_data_file # The apps sandbox itself -app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can -media_rw_data_file # Internal storage. Known that apps can

View file

@ -52,6 +52,7 @@ allow zygote proc_cpuinfo:file mounton;
allow zygote rootfs:dir mounton; allow zygote rootfs:dir mounton;
allow zygote tmpfs:filesystem { mount unmount }; allow zygote tmpfs:filesystem { mount unmount };
allow zygote fuse:filesystem { unmount }; allow zygote fuse:filesystem { unmount };
allow zygote sdcardfs:filesystem { unmount };
# Allowed to create user-specific storage source if started before vold # Allowed to create user-specific storage source if started before vold
allow zygote mnt_user_file:dir create_dir_perms; allow zygote mnt_user_file:dir create_dir_perms;