commit ed21bfca194d8a5d88e8ed00c22db044cafdb611
author Nick Kralevich <nnk@google.com> Sat Jun 21 00:15:53 2014 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Jun 20 21:00:34 2014 +0000
tree 9637610ce661eee2ebe43bced1da130058632ed3
parent ee6152844b9a1e551f9bd5f6c56449ab22be3a17
parent cf610692252b4df30b42f2bce3de464ac1804f97

Merge "Only allow app domains to access SDcard via fuse mount."

unconfined.te

diff --git a/unconfined.te b/unconfined.te
index f3c88a0..cd49cf1 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -48,7 +48,7 @@
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {
     file_type
@@ -58,6 +58,7 @@
     -exec_type
     -security_file
     -shell_data_file
+    -app_data_file
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:dir r_dir_perms;
 allow unconfineddomain exec_type:file { r_file_perms execute execmod };
@@ -71,6 +72,7 @@
     -proc_security
     -contextmount_type
     -rootfs
+    -sdcard_type
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {
@@ -81,6 +83,7 @@
     -exec_type
     -security_file
     -shell_data_file
+    -app_data_file
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain rootfs:file execute;
 allow unconfineddomain contextmount_type:dir r_dir_perms;