diff options
author | Jeff Sharkey <jsharkey@android.com> | 2015-04-02 16:14:40 -0700 |
---|---|---|
committer | Jeff Sharkey <jsharkey@android.com> | 2015-04-02 18:20:22 -0700 |
commit | 93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d (patch) | |
tree | 21e9908cd01723090b802593e7babc57b7835d3b | |
parent | b87a4b16d2d9b110047e24edeeb2528bcffd0574 (diff) | |
download | android_external_sepolicy-93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d.tar.gz android_external_sepolicy-93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d.tar.bz2 android_external_sepolicy-93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d.zip |
Consistent external storage policy.
Apps, shell and adbd should all have identical access to external
storage. Also document where we have files and/or symlinks.
Bug: 20055945
Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe
-rw-r--r-- | adbd.te | 7 | ||||
-rw-r--r-- | app.te | 8 | ||||
-rw-r--r-- | shell.te | 3 |
3 files changed, 11 insertions, 7 deletions
@@ -86,3 +86,10 @@ allow adbd kernel:security read_policy; allow adbd surfaceflinger_service:service_manager find; allow adbd bootchart_data_file:dir search; allow adbd bootchart_data_file:file r_file_perms; + +# Allow access to external storage; we have several visible mount points under /storage +# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary +allow adbd storage_file:dir r_dir_perms; +allow adbd storage_file:lnk_file r_file_perms; +allow adbd mnt_user_file:dir search; +allow adbd mnt_user_file:lnk_file r_file_perms; @@ -124,11 +124,11 @@ allow appdomain media_rw_data_file:file { read getattr }; # Read and write /data/data/com.android.providers.telephony files passed over Binder. allow appdomain radio_data_file:file { read write getattr }; -# See visible storage +# Allow access to external storage; we have several visible mount points under /storage +# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary allow appdomain storage_file:dir r_dir_perms; -allow appdomain storage_file:file r_file_perms; -allow appdomain mnt_user_file:dir r_dir_perms; -# Follow the /storage/self/primary symlink +allow appdomain storage_file:lnk_file r_file_perms; +allow appdomain mnt_user_file:dir search; allow appdomain mnt_user_file:lnk_file r_file_perms; # Read/write visible storage @@ -74,6 +74,3 @@ allow shell domain:process getattr; # and read other files created by init process under /data/bootchart allow shell bootchart_data_file:dir rw_dir_perms; allow shell bootchart_data_file:file create_file_perms; - -# Follow the /storage/self/primary symlink -allow shell storage_file:lnk_file r_file_perms; |