Allow search/getattr access to media_rw_data_file for now.
With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: system_server, dumpstate, and bluetooth
Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.
Bug: 27932396
Change-Id: I294cfe23269b7959586252250f5527f13e60529b
diff --git a/bluetooth.te b/bluetooth.te
index b143726..ff664ab 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -54,6 +54,11 @@
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow bluetooth media_rw_data_file:dir search;
+
###
### Neverallow rules
###
diff --git a/dumpstate.te b/dumpstate.te
index 19b8adf..8f64a0c 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -137,3 +137,8 @@
allow dumpstate debugfs_tracing:file rw_file_perms;
allow dumpstate debugfs_trace_marker:file getattr;
allow dumpstate atrace_exec:file rx_file_perms;
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow dumpstate media_rw_data_file:dir getattr;
diff --git a/system_server.te b/system_server.te
index 3cba289..8d8c303 100644
--- a/system_server.te
+++ b/system_server.te
@@ -492,6 +492,11 @@
allow system_server adbd:fd use;
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow system_server media_rw_data_file:dir search;
+
###
### Neverallow rules
###