diff options
author | Nick Kralevich <nnk@google.com> | 2014-09-04 11:04:23 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2014-09-04 13:40:06 -0700 |
commit | 5fc825c91715ad0b983b42986e93070eb7ce333d (patch) | |
tree | 16bd68cf84d377888bdae44ab1e4d8e642975d01 | |
parent | 018e9402c656c20289ea382dc72f958aa7e054d1 (diff) | |
download | android_external_sepolicy-5fc825c91715ad0b983b42986e93070eb7ce333d.tar.gz android_external_sepolicy-5fc825c91715ad0b983b42986e93070eb7ce333d.tar.bz2 android_external_sepolicy-5fc825c91715ad0b983b42986e93070eb7ce333d.zip |
sdcardd: grant unmount
If the sdcard daemon is restarted (crash or otherwise), one of the first
things it attempts to do is umount the previously mounted /mnt/shell/emulated
fuse filesystem, which is denied by SELinux with the following denial:
sdcard : type=1400 audit(0.0:6997): avc: denied { unmount } for scontext=u:r:sdcardd:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=0
Allow the operation.
Steps to reproduce:
1) adb shell into the device and su to root
2) run "kill -9 [PID OF SDCARD]
Expected:
sdcard daemon successfully restarts without error message.
Actual:
SELinux denial above, plus attempts to mount a new filesystem
on top of the existing filesystem.
(cherrypicked from commit abfd427a3226a8bb696e5e5b9239f5445a680f6c)
Bug: 17383009
Change-Id: I386bfc98e2b5b32b1d11408f7cfbd6e3c1af68f4
-rw-r--r-- | sdcardd.te | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -6,7 +6,7 @@ init_daemon_domain(sdcardd) allow sdcardd cgroup:dir create_dir_perms; allow sdcardd fuse_device:chr_file rw_file_perms; allow sdcardd rootfs:dir mounton; -allow sdcardd sdcard_type:filesystem mount; +allow sdcardd sdcard_type:filesystem { mount unmount }; allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource }; allow sdcardd sdcard_type:dir create_dir_perms; |