PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow mediaprovider_app access to /proc/filesystems.

Browse Source 
It needs to be able to see supported filesystems to handle external
storage correctly.

Bug: 146419093
Test: no denials
Change-Id: Ie1e0313c73c02a73558d07ccb70de02bfe8c231e
This commit is contained in:
Martijn Coenen 2020-02-19 17:10:43 +01:00
parent 2ddfad3709
commit fd54803f0b
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
private/app_neverallows.te
View File

@ -186,7 +186,6 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
neverallow all_untrusted_apps {
proc
proc_asound
proc_filesystems
proc_kmsg
proc_loadavg
proc_mounts
@ -200,6 +199,10 @@ neverallow all_untrusted_apps {
proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
# /proc/filesystems is accessible to mediaprovider_app only since it handles
# external storage
neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };

2
private/mediaprovider_app.te
View File

@ -38,3 +38,5 @@ allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
};
allow mediaprovider_app proc_filesystems:file r_file_perms;