Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / afede84ad598ee860fdba1f5002ca7b0609235aa^! / .
commitafede84ad598ee860fdba1f5002ca7b0609235aa[log] [tgz]
authorDaniel Rosenberg <drosen@google.com>Mon May 11 22:50:40 2020 -0700
committerDaniel Rosenberg <drosen@google.com>Tue May 19 00:30:52 2020 -0700
treeb0f45c4125a840e31866fe3f4bcd46311895ca7c
parentb0de2a8fe832b1d8cdc5bc34d2e449a523084e32 [diff]
Add sdcardfs variable to storage_config_props

This property allows us to disable sdcardfs if it is present. The old
property ended up getting repurposed, so a new one was needed.
Mediaprovider will also need to access this to determine what actions it
needs to take.

Test: builds
Bug: 155222498
Change-Id: I66ac106613cbb374f54659601e4ba3f61eaecd2f

diff --git a/private/app.te b/private/app.te
index a03bcb0..9964605 100644
--- a/private/app.te
+++ b/private/app.te

@@ -35,3 +35,6 @@
     { domain -appdomain -crash_dump -rs }:process { transition };
 neverallow { appdomain -shell userdebug_or_eng(`-su') }
     { domain -appdomain }:process { dyntransition };
+
+# Don't allow regular apps access to storage configuration properties.
+neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;

diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index fea903e..9afbadd 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te

@@ -43,3 +43,6 @@
 allow mediaprovider_app { mnt_media_rw_file }:dir search;
 
 allow mediaprovider_app proc_filesystems:file r_file_perms;
+
+#Allow MediaProvider to see if sdcardfs is in use
+get_prop(mediaprovider_app, storage_config_prop)

diff --git a/private/property_contexts b/private/property_contexts
index cfcfd5e..326c474 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -416,6 +416,7 @@
 
 external_storage.projid.enabled   u:object_r:storage_config_prop:s0 exact bool
 external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
 
 ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
 

diff --git a/public/app.te b/public/app.te
index 2c8e335..433bb7d 100644
--- a/public/app.te
+++ b/public/app.te

@@ -568,9 +568,6 @@
   -system_app
 } { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
 
-# Don't allow apps access to storage configuration properties.
-neverallow appdomain storage_config_prop:file no_rw_file_perms;
-
 # Apps cannot access proc_uid_time_in_state
 neverallow appdomain proc_uid_time_in_state:file *;