Allow mediaprovider_app access to /proc/filesystems.
It needs to be able to see supported filesystems to handle external storage correctly. Bug: 146419093 Test: no denials Change-Id: Ie1e0313c73c02a73558d07ccb70de02bfe8c231e
This commit is contained in:
parent
2ddfad3709
commit
fd54803f0b
@ -186,7 +186,6 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
|
||||
neverallow all_untrusted_apps {
|
||||
proc
|
||||
proc_asound
|
||||
proc_filesystems
|
||||
proc_kmsg
|
||||
proc_loadavg
|
||||
proc_mounts
|
||||
@ -200,6 +199,10 @@ neverallow all_untrusted_apps {
|
||||
proc_vmstat
|
||||
}:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
# /proc/filesystems is accessible to mediaprovider_app only since it handles
|
||||
# external storage
|
||||
neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
# Avoid all access to kernel configuration
|
||||
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
|
@ -38,3 +38,5 @@ allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
|
||||
FS_IOC_GETFLAGS
|
||||
FS_IOC_SETFLAGS
|
||||
};
|
||||
|
||||
allow mediaprovider_app proc_filesystems:file r_file_perms;
|
||||
|
Loading…
Reference in New Issue
Block a user