isolated_app.te: Give permissions for using sdcardfs Sdcardfs does not use a userspace daemon, so the secontext is currently the caller's when accessing files. This can be removed if sdcardfs is modified to change the secontext before calling into the lower filesystem. Bug: 32735101 Test: Run any app that falls under isolated_app. Test: See bug for example Change-Id: I9433aa0f14ff0d5a518249079e07f57e55b09bcf

commit: 02bf4aad9f2ba99cc4e4c10a8d97364c9ed61e13 [log] [tgz]
author: Daniel Rosenberg <drosen@google.com> Mon Dec 12 11:51:38 2016 -0800
committer: Daniel Rosenberg <drosen@google.com> Mon Dec 12 13:16:24 2016 -0800
tree: cfba5160819ffb724bfdd18e8ea160c8f64cd8d8
parent: 9f1e2b53fb0fae51c8fc3c4a53b81eb926d9cb14 [diff]
diff --git a/public/isolated_app.te b/public/isolated_app.te
index f2216ee..fc9aba8 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te

@@ -30,8 +30,10 @@
 # neverallow rules below.
 # TODO: consider removing write/append. We want to limit isolated_apps
 # ability to mutate files of any type.
-allow isolated_app sdcard_type:file { read write append getattr lock };
-auditallow isolated_app sdcard_type:file { write append };
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
 
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the
commit	02bf4aad9f2ba99cc4e4c10a8d97364c9ed61e13	[log] [tgz]
author	Daniel Rosenberg <drosen@google.com>	Mon Dec 12 11:51:38 2016 -0800
committer	Daniel Rosenberg <drosen@google.com>	Mon Dec 12 13:16:24 2016 -0800
tree	cfba5160819ffb724bfdd18e8ea160c8f64cd8d8
parent	9f1e2b53fb0fae51c8fc3c4a53b81eb926d9cb14 [diff]