From fd54803f0b2865735c51987baf4b80011bc5be5c Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Wed, 19 Feb 2020 17:10:43 +0100
Subject: [PATCH] Allow mediaprovider_app access to /proc/filesystems.

It needs to be able to see supported filesystems to handle external
storage correctly.

Bug: 146419093
Test: no denials
Change-Id: Ie1e0313c73c02a73558d07ccb70de02bfe8c231e
---
 private/app_neverallows.te   | 5 ++++-
 private/mediaprovider_app.te | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f08f516c6..66e9f69d2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -186,7 +186,6 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
 neverallow all_untrusted_apps {
   proc
   proc_asound
-  proc_filesystems
   proc_kmsg
   proc_loadavg
   proc_mounts
@@ -200,6 +199,10 @@ neverallow all_untrusted_apps {
   proc_vmstat
 }:file { no_rw_file_perms no_x_file_perms };
 
+# /proc/filesystems is accessible to mediaprovider_app only since it handles
+# external storage
+neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
+
 # Avoid all access to kernel configuration
 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
 
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index a07fc2da1..0b1047ae8 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -38,3 +38,5 @@ allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
   FS_IOC_GETFLAGS
   FS_IOC_SETFLAGS
 };
+
+allow mediaprovider_app proc_filesystems:file r_file_perms;