Merge "add selinux rules for mini-keyctl"

commit: 3581f456675c2d49e393fa22affdb0e1c661bdd8 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Fri Feb 01 04:35:47 2019 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Feb 01 04:35:47 2019 +0000
tree: d0e2ae6ac4ebe00987926608ad838696f4aab3e3
parent: 9f02b30a723081a20f54ee81a9cca577e36714a6 [diff]
parent: 2ebc63bef49e6661c25bbb2cd0f8509681f8fd2b [diff]
diff --git a/private/zygote.te b/private/zygote.te
index 9f8a348..ab86f89 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -97,7 +97,10 @@
 # Allowed to mount user-specific storage into place
 allow zygote storage_file:dir { search mounton };
 # Allow mounting on sdcardfs dirs
-allow zygote sdcardfs:dir { search mounton };
+# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
+# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
+# sdcardfs simply wraps files stored under /data/media.)
+allow zygote { sdcardfs media_rw_data_file }:dir { search mounton };
 
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;
commit	3581f456675c2d49e393fa22affdb0e1c661bdd8	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Fri Feb 01 04:35:47 2019 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Feb 01 04:35:47 2019 +0000
tree	d0e2ae6ac4ebe00987926608ad838696f4aab3e3
parent	9f02b30a723081a20f54ee81a9cca577e36714a6 [diff]
parent	2ebc63bef49e6661c25bbb2cd0f8509681f8fd2b [diff]