Commits

Anonymous committed 588bb5c Merge

Merge "Confine sdcardd, but leave it permissive for now."

  • Participants
  • Parent commits c48fd77, 15abc95

Comments (0)

Files changed (1)

 type sdcardd, domain;
+permissive sdcardd;
 type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)
-unconfined_domain(sdcardd)
+
+allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd fuse_device:chr_file rw_file_perms;
+allow sdcardd rootfs:dir mounton;
+allow sdcardd sdcard_type:filesystem mount;
+allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
 
 type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
 allow sdcardd media_rw_data_file:dir create_dir_perms;
 allow sdcardd media_rw_data_file:file create_file_perms;
+
+# Read /data/system/packages.list.
+allow sdcardd system_data_file:file r_file_perms;
+
+# Compatibility for existing devices with /data/media in system_data_file.
+# TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file.
+allow sdcardd system_data_file:dir  create_dir_perms;
+allow sdcardd system_data_file:file create_file_perms;