Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a7a174a5dc419a65e6b3c1fcb94b02c5c3cc5798^2..a7a174a5dc419a65e6b3c1fcb94b02c5c3cc5798 / .
commita7a174a5dc419a65e6b3c1fcb94b02c5c3cc5798[log] [tgz]
authorJeff Tinker <jtinker@google.com>Fri Apr 01 01:39:52 2016 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>Fri Apr 01 01:39:52 2016 +0000
treeeb30186a36d56637546c66a3dbc712a9c2b8213e
parent7a35c136a4486bd14493b7b333a14a2db8db861e [diff]
parenta6ae33124838151f3f623373dd2c359b1ecabc97 [diff]
Merge "Allow mediadrmservice to access processinfo" into nyc-dev
diff --git a/adbd.te b/adbd.te
index 27ffdd8..cd5df2a 100644
--- a/adbd.te
+++ b/adbd.te

@@ -102,5 +102,7 @@
 allow adbd mnt_user_file:lnk_file r_file_perms;
 
 # Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
 allow adbd media_rw_data_file:dir create_dir_perms;
 allow adbd media_rw_data_file:file create_file_perms;

diff --git a/bootanim.te b/bootanim.te
index fa0e4dc..91a50d5 100644
--- a/bootanim.te
+++ b/bootanim.te

@@ -23,6 +23,7 @@
 
 # Read access to pseudo filesystems.
 r_dir_file(bootanim, proc)
+allow bootanim proc_meminfo:file r_file_perms;
 r_dir_file(bootanim, sysfs)
 r_dir_file(bootanim, cgroup)
 

diff --git a/domain_deprecated.te b/domain_deprecated.te
index 4da7a31..e5bfb1c 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te

@@ -57,7 +57,7 @@
 r_dir_file(domain_deprecated, sysfs)
 r_dir_file(domain_deprecated, inotify)
 r_dir_file(domain_deprecated, cgroup)
-r_dir_file(domain_deprecated, proc_meminfo)
+allow domain_deprecated proc_meminfo:file r_file_perms;
 r_dir_file(domain_deprecated, proc_net)
 
 # Get SELinux enforcing status.

diff --git a/kernel.te b/kernel.te
index 20b0c0a..1ca5673 100644
--- a/kernel.te
+++ b/kernel.te

@@ -65,6 +65,12 @@
 
 domain_auto_trans(kernel, init_exec, init)
 
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow kernel media_rw_data_file:dir create_dir_perms;
+allow kernel media_rw_data_file:file create_file_perms;
+
 ###
 ### neverallow rules
 ###

diff --git a/mediaserver.te b/mediaserver.te
index 8616403..c6ec3ff 100644
--- a/mediaserver.te
+++ b/mediaserver.te

@@ -124,6 +124,12 @@
 allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow mediaserver media_rw_data_file:dir create_dir_perms;
+allow mediaserver media_rw_data_file:file create_file_perms;
+
 ###
 ### neverallow rules
 ###

diff --git a/shell.te b/shell.te
index fc5c276..a304673 100644
--- a/shell.te
+++ b/shell.te

@@ -123,6 +123,8 @@
 allow shell ion_device:chr_file rw_file_perms;
 
 # Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
 allow shell media_rw_data_file:dir create_dir_perms;
 allow shell media_rw_data_file:file create_file_perms;