1025d1383b
STEPS TO REPRODUCE:
1. Connect the device to Mac.
2. Switch to AFT.
3. Now AFT on Mac will show the device contents.
4. Now drag and drop the file to device and observe.
EXPECTED RESULTS:
Should able to copy.
OBSERVED RESULTS:
Showing can not copy file and on clicking ok,
It shows device storage can not connect and close the AFT.
Addresses the following denial:
W kworker/u:11: type=1400 audit(0.0:729): avc: denied { use } for path="/storage/emulated/0/Download/song2.mp3" dev="fuse" ino=143 scontext=u:r:kernel:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fd
12310 12530 E MtpRequestPacket: Malformed MTP request packet
ps -Z entry:
u:r:untrusted_app:s0:c512,c768 u0_a6 12310 203 android.process.media
Bug: 15835289
Change-Id: I47b653507f8d4089b31254c19f44706077e2e96a
78 lines
3 KiB
Text
78 lines
3 KiB
Text
# Life begins with the kernel.
|
|
type kernel, domain, mlstrustedsubject;
|
|
|
|
allow kernel self:capability sys_nice;
|
|
|
|
# Run /init before we have switched domains.
|
|
allow kernel rootfs:file execute_no_trans;
|
|
|
|
# /dev/__null__ node created by init prior to policy load.
|
|
allow kernel tmpfs:chr_file rw_file_perms;
|
|
|
|
# setcon to init domain.
|
|
allow kernel self:process setcurrent;
|
|
allow kernel init:process dyntransition;
|
|
|
|
# cgroup filesystem initialization prior to setting the cgroup root directory label.
|
|
allow kernel unlabeled:dir search;
|
|
|
|
# Mount usbfs.
|
|
allow kernel usbfs:filesystem mount;
|
|
|
|
# init direct restorecon calls prior to switching to init domain
|
|
# /dev and /dev/socket
|
|
allow kernel tmpfs:dir relabelfrom;
|
|
allow kernel { device socket_device }:dir relabelto;
|
|
# /dev/__properties__
|
|
allow kernel tmpfs:file relabelfrom;
|
|
allow kernel properties_device:file relabelto;
|
|
# /sys
|
|
allow kernel sysfs:{ dir file lnk_file } relabelfrom;
|
|
allow kernel sysfs_type:{ dir file lnk_file } relabelto;
|
|
allow kernel sysfs_type:dir r_dir_perms;
|
|
|
|
# Initial setenforce by init prior to switching to init domain.
|
|
# We use dontaudit instead of allow to prevent a kernel spawned userspace
|
|
# process from turning off SELinux once enabled.
|
|
dontaudit kernel self:security setenforce;
|
|
|
|
# Write to /proc/1/oom_adj prior to switching to init domain.
|
|
allow kernel self:capability sys_resource;
|
|
|
|
# Set checkreqprot by init.rc prior to switching to init domain.
|
|
allow kernel selinuxfs:file write;
|
|
allow kernel self:security setcheckreqprot;
|
|
|
|
# MTP sync (b/15835289)
|
|
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
|
|
allow kernel untrusted_app:fd use;
|
|
allow kernel sdcard_type:file { read write };
|
|
|
|
# Allow the kernel to read OBB files from app directories. (b/17428116)
|
|
# Kernel thread "loop0" reads a vold supplied file descriptor.
|
|
# Fixes CTS tests:
|
|
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
|
|
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
|
|
allow kernel vold:fd use;
|
|
allow kernel app_data_file:file read;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# The initial task starts in the kernel domain (assigned via
|
|
# initial_sid_contexts), but nothing ever transitions to it.
|
|
neverallow domain kernel:process { transition dyntransition };
|
|
|
|
# The kernel domain is never entered via an exec, nor should it
|
|
# ever execute a program outside the rootfs without changing to another domain.
|
|
# If you encounter an execute_no_trans denial on the kernel domain, then
|
|
# possible causes include:
|
|
# - The program is a kernel usermodehelper. In this case, define a domain
|
|
# for the program and domain_auto_trans() to it.
|
|
# - You failed to setcon u:r:init:s0 in your init.rc and thus your init
|
|
# program was left in the kernel domain and is now trying to execute
|
|
# some other program. Fix your init.rc file.
|
|
# - You are running an exploit which switched to the init task credentials
|
|
# and is then trying to exec a shell or other program. You lose!
|
|
neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };
|