diff options
| author | Steve Kondik <steve@cyngn.com> | 2016-07-26 18:41:44 -0700 |
|---|---|---|
| committer | Steve Kondik <steve@cyngn.com> | 2016-07-26 18:41:44 -0700 |
| commit | 908ba0035b1003aaa2acef9ee6392485f6c8055e (patch) | |
| tree | 772aa27f68f8af1c8700b1a89b630e96a1b31aac | |
| parent | 0d2bc4350ad290c0f5bdf69dbbc5baa716889b0b (diff) | |
sepolicy: Add policy for sdcardfs and configfs
Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983
| -rw-r--r-- | app.te | 2 | ||||
| -rw-r--r-- | file.te | 2 | ||||
| -rw-r--r-- | genfs_contexts | 2 | ||||
| -rw-r--r-- | init.te | 4 | ||||
| -rw-r--r-- | system_server.te | 4 | ||||
| -rw-r--r-- | zygote.te | 1 |
6 files changed, 15 insertions, 0 deletions
@@ -145,6 +145,8 @@ allow appdomain mnt_user_file:lnk_file r_file_perms; # Read/write visible storage allow appdomain fuse:dir create_dir_perms; allow appdomain fuse:file create_file_perms; +allow appdomain sdcardfs:dir create_dir_perms; +allow appdomain sdcardfs:file create_file_perms; # Access OBBs (vfat images) mounted by vold (b/17633509) # File write access allowed for FDs returned through Storage Access Framework @@ -24,6 +24,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_wake_lock, fs_type, sysfs_type; +type configfs, fs_type; # /sys/devices/system/cpu type sysfs_devices_system_cpu, fs_type, sysfs_type; # /sys/module/lowmemorykiller @@ -34,6 +35,7 @@ type tmpfs, fs_type; type shm, fs_type; type mqueue, fs_type; type fuse, sdcard_type, fs_type, mlstrustedobject; +type sdcardfs, sdcard_type, fs_type, mlstrustedobject; type vfat, sdcard_type, fs_type, mlstrustedobject; ifelse(shipping_build, `true', # Dummy this out in shipping to avoid breaking code mentioning the label diff --git a/genfs_contexts b/genfs_contexts index 0bbf97f..3aac306 100644 --- a/genfs_contexts +++ b/genfs_contexts @@ -34,6 +34,8 @@ genfscon inotifyfs / u:object_r:inotify:s0 genfscon vfat / u:object_r:vfat:s0 genfscon debugfs / u:object_r:debugfs:s0 genfscon fuse / u:object_r:fuse:s0 +genfscon configfs / u:object_r:configfs:s0 +genfscon sdcardfs / u:object_r:sdcardfs:s0 genfscon pstore / u:object_r:pstorefs:s0 genfscon functionfs / u:object_r:functionfs:s0 genfscon usbfs / u:object_r:usbfs:s0 @@ -60,6 +60,10 @@ allow init tmpfs:dir mounton; allow init cgroup:dir create_dir_perms; allow init cpuctl_device:dir { create mounton }; +# /config +allow init configfs:dir mounton; +allow init configfs:dir create_dir_perms; + # Use tmpfs as /data, used for booting when /data is encrypted allow init tmpfs:dir relabelfrom; diff --git a/system_server.te b/system_server.te index a25ab21..b81a37c 100644 --- a/system_server.te +++ b/system_server.te @@ -442,6 +442,10 @@ allow system_server mnt_expand_file:dir r_dir_perms; allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; allow system_server fingerprintd_data_file:file { getattr unlink }; +# For configuring sdcardfs +allow system_server configfs:dir { create_dir_perms }; +allow system_server configfs:file { getattr open unlink write }; + ### ### Neverallow rules ### @@ -56,6 +56,7 @@ allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: allow zygote tmpfs:filesystem { mount unmount }; allow zygote fuse:filesystem { unmount }; allow zygote labeledfs:filesystem remount; # TODO: deprecated in M +allow zygote sdcardfs:filesystem { unmount }; # Allowed to create user-specific storage source if started before vold allow zygote mnt_user_file:dir create_dir_perms; |