Consistent external storage policy.

Apps, shell and adbd should all have identical access to external storage. Also document where we have files and/or symlinks. Bug: 20055945 Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe
author: Jeff Sharkey <jsharkey@android.com> 2015-04-02 16:14:40 -0700
committer: Jeff Sharkey <jsharkey@android.com> 2015-04-02 18:20:22 -0700
commit: 93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d (patch)
tree: 21e9908cd01723090b802593e7babc57b7835d3b
parent: b87a4b16d2d9b110047e24edeeb2528bcffd0574 (diff)
download: android_external_sepolicy-93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d.tar.gz
android_external_sepolicy-93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d.tar.bz2
android_external_sepolicy-93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d.zip
3 files changed, 11 insertions, 7 deletions
diff --git a/adbd.te b/adbd.te
index babbdc5..72deb50 100644
--- a/adbd.te
+++ b/adbd.te
@@ -86,3 +86,10 @@ allow adbd kernel:security read_policy;
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;
 allow adbd bootchart_data_file:file r_file_perms;
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow adbd storage_file:dir r_dir_perms;
+allow adbd storage_file:lnk_file r_file_perms;
+allow adbd mnt_user_file:dir search;
+allow adbd mnt_user_file:lnk_file r_file_perms;
diff --git a/app.te b/app.te
index 4aad958..52a3bd6 100644
--- a/app.te
+++ b/app.te
@@ -124,11 +124,11 @@ allow appdomain media_rw_data_file:file { read getattr };
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
 allow appdomain radio_data_file:file { read write getattr };
 
-# See visible storage
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
 allow appdomain storage_file:dir r_dir_perms;
-allow appdomain storage_file:file r_file_perms;
-allow appdomain mnt_user_file:dir r_dir_perms;
-# Follow the /storage/self/primary symlink
+allow appdomain storage_file:lnk_file r_file_perms;
+allow appdomain mnt_user_file:dir search;
 allow appdomain mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage
diff --git a/shell.te b/shell.te
index a58fc5d..cfadf77 100644
--- a/shell.te
+++ b/shell.te
@@ -74,6 +74,3 @@ allow shell domain:process getattr;
 # and read other files created by init process under /data/bootchart
 allow shell bootchart_data_file:dir rw_dir_perms;
 allow shell bootchart_data_file:file create_file_perms;
-
-# Follow the /storage/self/primary symlink
-allow shell storage_file:lnk_file r_file_perms;
author	Jeff Sharkey <jsharkey@android.com>	2015-04-02 16:14:40 -0700
committer	Jeff Sharkey <jsharkey@android.com>	2015-04-02 18:20:22 -0700
commit	93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d (patch)
tree	21e9908cd01723090b802593e7babc57b7835d3b
parent	b87a4b16d2d9b110047e24edeeb2528bcffd0574 (diff)
download	android_external_sepolicy-93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d.tar.gz android_external_sepolicy-93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d.tar.bz2 android_external_sepolicy-93fd6f0a4e6b622ed0116c3233046baeeb3f7c1d.zip