Split internal and external sdcards
Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
This commit is contained in:
William Roberts
Stephen Smalley
parent
1ed1effabf
commit
c195ec3148
12 changed files with 32 additions and 22 deletions
20
app.te
20
app.te
|
|
@ -89,8 +89,8 @@ net_domain(browser_app)
|
|||
allow platformappdomain platform_app_data_file:dir create_dir_perms;
|
||||
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
|
||||
# App sdcard file accesses
|
||||
allow platformappdomain sdcard:dir create_dir_perms;
|
||||
allow platformappdomain sdcard:file create_file_perms;
|
||||
allow platformappdomain sdcard_type:dir create_dir_perms;
|
||||
allow platformappdomain sdcard_type:file create_file_perms;
|
||||
# System data file accesses (e.g, shared objects from the lib directory)
|
||||
allow platformappdomain system_data_file:file { execute open };
|
||||
|
||||
|
|
@ -119,11 +119,17 @@ if (app_bluetooth or android_cts) {
|
|||
# No specific SELinux class for bluetooth sockets presently.
|
||||
allow untrusted_app self:socket *;
|
||||
}
|
||||
# SDCard rw access.
|
||||
bool app_sdcard_rw true;
|
||||
if (app_sdcard_rw) {
|
||||
allow untrusted_app sdcard:dir create_dir_perms;
|
||||
allow untrusted_app sdcard:file create_file_perms;
|
||||
# Internal SDCard rw access.
|
||||
bool app_internal_sdcard_rw true;
|
||||
if (app_internal_sdcard_rw) {
|
||||
allow untrusted_app sdcard_internal:dir create_dir_perms;
|
||||
allow untrusted_app sdcard_internal:file create_file_perms;
|
||||
}
|
||||
# External SDCard rw access.
|
||||
bool app_external_sdcard_rw true;
|
||||
if (app_external_sdcard_rw) {
|
||||
allow untrusted_app sdcard_external:dir create_dir_perms;
|
||||
allow untrusted_app sdcard_external:file create_file_perms;
|
||||
}
|
||||
# Native app support.
|
||||
bool app_ndk false;
|
||||
|
|
|
|||
|
|
@ -24,6 +24,9 @@ attribute data_file_type;
|
|||
# All types use for sysfs files.
|
||||
attribute sysfs_type;
|
||||
|
||||
# Attribute used for all sdcards
|
||||
attribute sdcard_type;
|
||||
|
||||
# All types used for nodes/hosts.
|
||||
attribute node_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ binder_service(drmserver)
|
|||
# Perform Binder IPC to mediaserver
|
||||
binder_call(drmserver, mediaserver)
|
||||
|
||||
allow drmserver sdcard:dir search;
|
||||
allow drmserver sdcard_type:dir search;
|
||||
allow drmserver drm_data_file:dir create_dir_perms;
|
||||
allow drmserver drm_data_file:file create_file_perms;
|
||||
allow drmserver self:{ tcp_socket udp_socket } *;
|
||||
|
|
|
|||
3
file.te
3
file.te
|
|
@ -16,7 +16,8 @@ type devpts, fs_type, mlstrustedobject;
|
|||
type tmpfs, fs_type;
|
||||
type shm, fs_type;
|
||||
type mqueue, fs_type;
|
||||
type sdcard, fs_type, mlstrustedobject;
|
||||
type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
|
||||
type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
|
||||
type debugfs, fs_type, mlstrustedobject;
|
||||
|
||||
# File types
|
||||
|
|
|
|||
|
|
@ -9,6 +9,6 @@ genfscon cgroup / u:object_r:cgroup:s0
|
|||
# sysfs labels can be set by userspace.
|
||||
genfscon sysfs / u:object_r:sysfs:s0
|
||||
genfscon inotifyfs / u:object_r:inotify:s0
|
||||
genfscon vfat / u:object_r:sdcard:s0
|
||||
genfscon vfat / u:object_r:sdcard_external:s0
|
||||
genfscon debugfs / u:object_r:debugfs:s0
|
||||
genfscon fuse / u:object_r:sdcard:s0
|
||||
genfscon fuse / u:object_r:sdcard_internal:s0
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ net_domain(mediaserver)
|
|||
init_daemon_domain(mediaserver)
|
||||
unix_socket_connect(mediaserver, property, init)
|
||||
|
||||
r_dir_file(mediaserver, sdcard)
|
||||
r_dir_file(mediaserver, sdcard_type)
|
||||
|
||||
binder_use(mediaserver)
|
||||
binder_call(mediaserver, binderservicedomain)
|
||||
|
|
@ -18,7 +18,7 @@ binder_service(mediaserver)
|
|||
allow mediaserver kernel:system module_request;
|
||||
allow mediaserver app_data_file:dir search;
|
||||
allow mediaserver app_data_file:file r_file_perms;
|
||||
allow mediaserver sdcard:file write;
|
||||
allow mediaserver sdcard_type:file write;
|
||||
allow mediaserver camera_device:chr_file rw_file_perms;
|
||||
allow mediaserver graphics_device:chr_file rw_file_perms;
|
||||
allow mediaserver video_device:chr_file rw_file_perms;
|
||||
|
|
|
|||
2
rild.te
2
rild.te
|
|
@ -23,7 +23,7 @@ allow rild bluetooth_efs_file:dir r_dir_perms;
|
|||
allow rild radio_data_file:dir r_dir_perms;
|
||||
allow rild radio_data_file:file rw_file_perms;
|
||||
allow rild radio_device:lnk_file r_file_perms;
|
||||
allow rild sdcard:dir r_dir_perms;
|
||||
allow rild sdcard_type:dir r_dir_perms;
|
||||
allow rild system_data_file:dir create_dir_perms;
|
||||
allow rild system_data_file:file create_file_perms;
|
||||
allow rild system_file:file x_file_perms;
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ init_daemon_domain(sdcardd)
|
|||
allow sdcardd cgroup:dir create_dir_perms;
|
||||
allow sdcardd fuse_device:chr_file rw_file_perms;
|
||||
allow sdcardd rootfs:dir mounton;
|
||||
allow sdcardd sdcard:filesystem mount;
|
||||
allow sdcardd sdcard_type:filesystem mount;
|
||||
allow sdcardd self:capability { setuid setgid dac_override sys_admin };
|
||||
allow sdcardd system_data_file:dir create_dir_perms;
|
||||
allow sdcardd system_data_file:file create_file_perms;
|
||||
|
|
|
|||
4
shell.te
4
shell.te
|
|
@ -13,8 +13,8 @@ allow shell shell_data_file:file create_file_perms;
|
|||
allow shell shell_data_file:file rx_file_perms;
|
||||
|
||||
# Access sdcard.
|
||||
allow shell sdcard:dir rw_dir_perms;
|
||||
allow shell sdcard:file create_file_perms;
|
||||
allow shell sdcard_type:dir rw_dir_perms;
|
||||
allow shell sdcard_type:file create_file_perms;
|
||||
|
||||
r_dir_file(shell, apk_data_file)
|
||||
allow shell dalvikcache_data_file:file write;
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ selinux_getenforce(system)
|
|||
selinux_getenforce(system_app)
|
||||
|
||||
# Settings app reads sdcard for storage stats
|
||||
allow system_app sdcard:dir r_dir_perms;
|
||||
allow system_app sdcard_type:dir r_dir_perms;
|
||||
|
||||
bool manage_selinux true;
|
||||
if (manage_selinux) {
|
||||
|
|
|
|||
6
vold.te
6
vold.te
|
|
@ -10,9 +10,9 @@ allow vold block_device:blk_file create_file_perms;
|
|||
allow vold block_device:lnk_file read;
|
||||
allow vold devpts:chr_file rw_file_perms;
|
||||
allow vold rootfs:dir mounton;
|
||||
allow vold sdcard:dir mounton;
|
||||
allow vold sdcard:filesystem { mount remount unmount };
|
||||
allow vold sdcard:dir create_dir_perms;
|
||||
allow vold sdcard_type:dir mounton;
|
||||
allow vold sdcard_type:filesystem { mount remount unmount };
|
||||
allow vold sdcard_type:dir create_dir_perms;
|
||||
allow vold tmpfs:filesystem { mount unmount };
|
||||
allow vold tmpfs:dir create_dir_perms;
|
||||
allow vold tmpfs:dir mounton;
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ allow zygote rootfs:file r_file_perms;
|
|||
|
||||
# Setting up /storage/emulated.
|
||||
allow zygote rootfs:dir mounton;
|
||||
allow zygote sdcard:dir { write search setattr create add_name mounton };
|
||||
allow zygote sdcard_type:dir { write search setattr create add_name mounton };
|
||||
dontaudit zygote self:capability fsetid;
|
||||
allow zygote tmpfs:dir { write create add_name setattr mounton };
|
||||
allow zygote tmpfs:filesystem mount;
|
||||
|
|
|
|||
Loading…
Reference in a new issue