Merge "Move MediaProvider to its own domain, add new MtpServer permissions"

commit: 35aa81ad51b705a511ff218efb2af71add7ccf39 [log] [tgz]
author: Jerry Zhang <zhangjerry@google.com> Tue Dec 13 00:12:04 2016 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Dec 13 00:12:04 2016 +0000
tree: db4bf056b504e82e7c68abdc7d9e66797f11faf5
parent: 02bf4aad9f2ba99cc4e4c10a8d97364c9ed61e13 [diff]
parent: f921dd9cad64bda6433b52b8c99ea8756819ef1b [diff]
diff --git a/public/isolated_app.te b/public/isolated_app.te
index f2216ee..fc9aba8 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te

@@ -30,8 +30,10 @@
 # neverallow rules below.
 # TODO: consider removing write/append. We want to limit isolated_apps
 # ability to mutate files of any type.
-allow isolated_app sdcard_type:file { read write append getattr lock };
-auditallow isolated_app sdcard_type:file { write append };
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
 
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the
commit	35aa81ad51b705a511ff218efb2af71add7ccf39	[log] [tgz]
author	Jerry Zhang <zhangjerry@google.com>	Tue Dec 13 00:12:04 2016 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Dec 13 00:12:04 2016 +0000
tree	db4bf056b504e82e7c68abdc7d9e66797f11faf5
parent	02bf4aad9f2ba99cc4e4c10a8d97364c9ed61e13 [diff]
parent	f921dd9cad64bda6433b52b8c99ea8756819ef1b [diff]