Merge commit '1afe62d1781e2fcf117a386a7a1162cf856c23dd' into manual_merge_1afe62d1781e2fcf117a386a7a1162cf856c23dd
Test: presubmit
Change-Id: Iaf63a24193cd1bb0c87f1d00182cc995b5fbeb60
diff --git a/private/system_server.te b/private/system_server.te
index 619a1f7..bd073ff 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -741,8 +741,7 @@
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
+allow system_server app_fuse_file:file { read write getattr };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
diff --git a/public/app.te b/public/app.te
index 5499302..96b8c07 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,6 +55,9 @@
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+# For AppFuse.
+allow appdomain vold:fd use;
+
# Communication with other apps via fifos
allow appdomain appdomain:fifo_file rw_file_perms;
diff --git a/public/vold.te b/public/vold.te
index 9091b69..236604f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -229,6 +229,8 @@
allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;