From 14e765cd711b2b6473f0c553a6f374818fe46293 Mon Sep 17 00:00:00 2001 From: codeworkx Date: Fri, 1 Jan 2016 17:29:10 +0100 Subject: [PATCH 1/2] cm: sepolicy: fix denials for external storage Change-Id: I784a859671c69370cab0118a88a5fb0190352af9 --- sepolicy/fsck_untrusted.te | 2 ++ sepolicy/genfs_contexts | 2 ++ sepolicy/system_server.te | 2 ++ sepolicy/vold.te | 5 +++++ 4 files changed, 11 insertions(+) create mode 100644 sepolicy/fsck_untrusted.te diff --git a/sepolicy/fsck_untrusted.te b/sepolicy/fsck_untrusted.te new file mode 100644 index 00000000..5d12f768 --- /dev/null +++ b/sepolicy/fsck_untrusted.te @@ -0,0 +1,2 @@ +# External storage +allow fsck_untrusted self:capability sys_admin; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts index cec9f01e..b39d3dda 100644 --- a/sepolicy/genfs_contexts +++ b/sepolicy/genfs_contexts @@ -1 +1,3 @@ genfscon fuseblk / u:object_r:sdcard_external:s0 +genfscon exfat / u:object_r:sdcard_external:s0 +genfscon ntfs / u:object_r:sdcard_external:s0 diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index b6a65ee2..a9000b6a 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -4,3 +4,5 @@ allow system_server recovery_cache_file:file create_file_perms; # Persistent properties allow system_server persist_property_file:dir rw_dir_perms; allow system_server persist_property_file:file { create_file_perms unlink }; + +allow system_server storage_stub_file:dir { getattr }; diff --git a/sepolicy/vold.te b/sepolicy/vold.te index 9b7313c2..efca286b 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -14,3 +14,8 @@ allow vold self:capability { setgid setuid }; recovery_only(` allow vold rootfs:dir { add_name write }; ') + +# External storage +allow vold storage_stub_file:dir { rw_file_perms search add_name }; +allow vold mnt_media_rw_stub_file:dir r_dir_perms; +allow vold mkfs_exec:file { execute read open execute_no_trans }; From 511152cd2c67e7f965fdbf451111522f898a2584 Mon Sep 17 00:00:00 2001 From: Matt Mower Date: Sun, 27 Dec 2015 12:26:23 -0600 Subject: [PATCH 2/2] sepolicy: Allow minivold execute_no_trans After assimilating minivold into /sbin/recovery, we need to allow the minivold service (a symlink to the recovery binary) to transition from the recovery to the vold domain. Change-Id: I112e6d371a8da8fc55a06967852c869105190616 --- sepolicy/vold.te | 1 + 1 file changed, 1 insertion(+) diff --git a/sepolicy/vold.te b/sepolicy/vold.te index efca286b..0c50c71b 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -13,6 +13,7 @@ allow vold self:capability { setgid setuid }; # Vold can also run as minivold in the rootfs recovery_only(` allow vold rootfs:dir { add_name write }; + allow vold rootfs:file execute_no_trans; ') # External storage