Allow mediaprovider_app access to /proc/filesystems.
It needs to be able to see supported filesystems to handle external
storage correctly.
Bug: 146419093
Test: no denials
Change-Id: Ie1e0313c73c02a73558d07ccb70de02bfe8c231e
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f08f516..66e9f69 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -186,7 +186,6 @@
neverallow all_untrusted_apps {
proc
proc_asound
- proc_filesystems
proc_kmsg
proc_loadavg
proc_mounts
@@ -200,6 +199,10 @@
proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
+# /proc/filesystems is accessible to mediaprovider_app only since it handles
+# external storage
+neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
+
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index a07fc2d..0b1047a 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -38,3 +38,5 @@
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
};
+
+allow mediaprovider_app proc_filesystems:file r_file_perms;