From c94e2392f6d92064e3aa32fff2c5a70116c7398a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 6 Jan 2012 10:25:53 -0500
Subject: [PATCH] Further policy for Motorola Xoom.

---
 app.te        | 3 +++
 device.te     | 1 +
 file_contexts | 1 +
 netd.te       | 4 ++--
 system.te     | 1 +
 5 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/app.te b/app.te
index b2bd81750..976b6bcf4 100644
--- a/app.te
+++ b/app.te
@@ -14,6 +14,9 @@ net_domain(trusted_app)
 bluetooth_domain(trusted_app)
 # Read logs.
 allow trusted_app log_device:chr_file read;
+# Access /dev/mtp_usb.
+# XXX Split android.process.media into a separate domain?
+allow trusted_app mtp_device:chr_file rw_file_perms;
 # Write to /cache.
 allow trusted_app cache_file:dir rw_dir_perms;
 allow trusted_app cache_file:file create_file_perms;
diff --git a/device.te b/device.te
index 1b9df4f54..6424db647 100644
--- a/device.te
+++ b/device.te
@@ -21,6 +21,7 @@ type input_device, dev_type;
 type kmem_device, dev_type;
 type log_device, dev_type, mlstrustedobject;
 type mtd_device, dev_type;
+type mtp_device, dev_type, mlstrustedobject;
 type nfc_device, dev_type;
 type nv_device, dev_type, mlstrustedobject;
 type powervr_device, dev_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 332017d70..92c6bb0f4 100644
--- a/file_contexts
+++ b/file_contexts
@@ -33,6 +33,7 @@
 /dev/mtd(/.*)?		u:object_r:mtd_device:s0
 /dev/mtd/mtd5		u:object_r:radio_device:s0
 /dev/mtd/mtd5ro		u:object_r:radio_device:s0
+/dev/mtp_usb		u:object_r:mtp_device:s0
 /dev/pn544		u:object_r:nfc_device:s0
 /dev/ptmx		u:object_r:ptmx_device:s0
 /dev/pvrsrvkm		u:object_r:powervr_device:s0
diff --git a/netd.te b/netd.te
index 94c960412..47687dc7d 100644
--- a/netd.te
+++ b/netd.te
@@ -21,10 +21,10 @@ allow netd devpts:chr_file rw_file_perms;
 # XXX Split /proc/sys/net into its own type.
 allow netd proc:file write;
 
-# For firmware_path
+# For /sys/modules/bcmdhd/parameters/firmware_path
 # XXX Split into its own type.
 allow netd sysfs:file write;
 
-# Load network drivers.
+# Network driver loading.
 allow netd kernel:system module_request;
 
diff --git a/system.te b/system.te
index eff738670..970aed8f4 100644
--- a/system.te
+++ b/system.te
@@ -100,6 +100,7 @@ selinux_check_access(system)
 allow system sysfs:file rw_file_perms;
 
 # Access devices.
+allow system device:dir r_dir_perms;
 allow system device:chr_file rw_file_perms;
 allow system akm_device:chr_file rw_file_perms;
 allow system accelerometer_device:chr_file rw_file_perms;