Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 17c675b327727b180e5096fb76ae6ad9411d2ddc^! / .
commit17c675b327727b180e5096fb76ae6ad9411d2ddc[log] [tgz]
authorJeff Sharkey <jsharkey@android.com>Fri Dec 02 13:13:57 2016 -0700
committerJeff Sharkey <jsharkey@android.com>Fri Dec 02 13:16:05 2016 -0700
treeb27d740b8df5861d41a9c6274a1985abb3170f23
parent685ef6b8216f94e7e2a2bac4ee04aaada5db4a81 [diff]
Allow system_server to measure emulated stats.

Historically we pushed all system_server SD card interactions through
DefaultContainerService to avoid holding open FDs, but it's safe to
measure disk usage for internal emulated storage when looking
directly at /data/media, since there is no risk of unsafe ejection.

These rule changes give us just enough access to measure statistics.

avc: denied { getattr } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { open } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { read } for name="0" dev="sda35" ino=589827 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1

Test: builds, boots, and access allowed
Bug: 33298975
Change-Id: I9748608a5c1169d542e763c5a8f79c4f26f7a382

diff --git a/public/system_server.te b/public/system_server.te
index f9dbc89..d6fb0a4 100644
--- a/public/system_server.te
+++ b/public/system_server.te

@@ -321,7 +321,11 @@
 # Types extracted from seapp_contexts type= fields.
 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
 
+# Access to /data/media for measuring disk usage.
+allow system_server media_rw_data_file:dir { search getattr open read };
+
 # Receive and use open /data/media files passed over binder IPC.
+# Also used for measuring disk usage.
 allow system_server media_rw_data_file:file { getattr read write append };
 
 # Relabel apk files.
@@ -541,11 +545,6 @@
 allow system_server adbd:fd use;
 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
 
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow system_server media_rw_data_file:dir search;
-
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;