commit b469c30069afd96df54e3fa18940fcfdfd9737a1
author Jeff Sharkey <jsharkey@android.com> Fri Mar 30 12:22:54 2018 -0600
committer Jeff Sharkey <jsharkey@android.com> Mon Apr 16 12:49:10 2018 -0600
tree 987134796389ac8ab2e000cf7ee158c530c2c84b
parent fde3e6a0f72452c2b6c9b1da9777e60b27c3d8ea

Add exFAT support; unify behind "sdcard_type".

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 4628314..8d9ccd6 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -93,9 +93,7 @@
 # application un-installation.
 neverallow { all_untrusted_apps -mediaprovider } {
   fs_type
-  -fuse                     # sdcard
-  -sdcardfs                 # sdcard
-  -vfat
+  -sdcard_type
   file_type
   -app_data_file            # The apps sandbox itself
   -media_rw_data_file       # Internal storage. Known that apps can

private/compat/26.0/26.0.ignore.cil

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 71c7a00..bc847ee 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -18,6 +18,7 @@
     crossprofileapps_service
     e2fs
     e2fs_exec
+    exfat
     exported_bluetooth_prop
     exported_config_prop
     exported_dalvik_prop

private/compat/27.0/27.0.ignore.cil

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 94c81d0..0e8c164 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -14,6 +14,7 @@
     bpfloader_exec
     cgroup_bpf
     crossprofileapps_service
+    exfat
     exported2_config_prop
     exported2_default_prop
     exported2_radio_prop

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index c261afa..ce26d73 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -229,6 +229,7 @@
 
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
+genfscon exfat / u:object_r:exfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0

private/platform_app.te

diff --git a/private/platform_app.te b/private/platform_app.te
index 80b20e1..f60597a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -34,8 +34,8 @@
 # Direct access to vold-mounted storage under /mnt/media_rw
 # This is a performance optimization that allows platform apps to bypass the FUSE layer
 allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+allow platform_app sdcard_type:file create_file_perms;
 
 # com.android.systemui
 allow platform_app rootfs:dir getattr;