Merge "Allow mediaprovider_app access to /proc/filesystems."

commit: 78f63707ac8bcc97a1cc661afebc50d1115504a0 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Wed Feb 19 18:12:06 2020 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Feb 19 18:12:06 2020 +0000
tree: 4685cbdaaf412d983bf2f98edd77ee27e23d69dc
parent: 0b30311feb93ce51b7d0cfd3e8ae4b213c5c800f [diff]
parent: fd54803f0b2865735c51987baf4b80011bc5be5c [diff]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f08f516..66e9f69 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -186,7 +186,6 @@
 neverallow all_untrusted_apps {
   proc
   proc_asound
-  proc_filesystems
   proc_kmsg
   proc_loadavg
   proc_mounts
@@ -200,6 +199,10 @@
   proc_vmstat
 }:file { no_rw_file_perms no_x_file_perms };
 
+# /proc/filesystems is accessible to mediaprovider_app only since it handles
+# external storage
+neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
+
 # Avoid all access to kernel configuration
 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
 

diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index a07fc2d..0b1047a 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te

@@ -38,3 +38,5 @@
   FS_IOC_GETFLAGS
   FS_IOC_SETFLAGS
 };
+
+allow mediaprovider_app proc_filesystems:file r_file_perms;
commit	78f63707ac8bcc97a1cc661afebc50d1115504a0	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Wed Feb 19 18:12:06 2020 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Feb 19 18:12:06 2020 +0000
tree	4685cbdaaf412d983bf2f98edd77ee27e23d69dc
parent	0b30311feb93ce51b7d0cfd3e8ae4b213c5c800f [diff]
parent	fd54803f0b2865735c51987baf4b80011bc5be5c [diff]