Gitiles
Code Review Sign In
review.gerrithub.io / AOSMP / device_aosmp_sepolicy / 744a628fd1c42f602858ac0401b561ddec51ae8d^! / .
commit744a628fd1c42f602858ac0401b561ddec51ae8d[log] [tgz]
authorcodeworkx <codeworkx@cyanogenmod.org>Fri Jan 01 17:29:10 2016 +0100
committermartinusbe <martinusbe@gmail.com>Sun Jan 21 23:39:37 2018 +0100
treeec2d72444bc5451d1d253ba9039e0acc90775fe6
parente04039a56e261423b4d24edf6ebe9628b992d221 [diff]
sepolicy: fix denials for external storage

Change-Id: I784a859671c69370cab0118a88a5fb0190352af9

diff --git a/common/private/file.te b/common/private/file.te
index ea6af04..eb469cc 100644
--- a/common/private/file.te
+++ b/common/private/file.te

@@ -1,2 +1,4 @@
 # Filesystems
+type exfat, sdcard_type, fs_type, mlstrustedobject;
 type fuseblk, sdcard_type, fs_type, mlstrustedobject;
+type ntfs, sdcard_type, fs_type, mlstrustedobject;

diff --git a/common/private/fsck_untrusted.te b/common/private/fsck_untrusted.te
new file mode 100644
index 0000000..5d12f76
--- /dev/null
+++ b/common/private/fsck_untrusted.te

@@ -0,0 +1,2 @@
+# External storage
+allow fsck_untrusted self:capability sys_admin;

diff --git a/common/private/genfs_contexts b/common/private/genfs_contexts
index 6152690..ae77a83 100644
--- a/common/private/genfs_contexts
+++ b/common/private/genfs_contexts

@@ -1 +1,3 @@
+genfscon exfat / u:object_r:exfat:s0
 genfscon fuseblk / u:object_r:fuseblk:s0
+genfscon ntfs / u:object_r:ntfs:s0

diff --git a/common/private/system_server.te b/common/private/system_server.te
new file mode 100644
index 0000000..0a3f565
--- /dev/null
+++ b/common/private/system_server.te

@@ -0,0 +1 @@
+allow system_server storage_stub_file:dir getattr;

diff --git a/common/private/vold.te b/common/private/vold.te
new file mode 100644
index 0000000..628c8c1
--- /dev/null
+++ b/common/private/vold.te

@@ -0,0 +1,4 @@
+# External storage
+allow vold mkfs_exec:file { execute read open execute_no_trans };
+allow vold mnt_media_rw_stub_file:dir r_dir_perms;
+allow vold storage_stub_file:dir { rw_file_perms search add_name };