Allow mediaprovider_app access to /proc/filesystems. It needs to be able to see supported filesystems to handle external storage correctly. Bug: 146419093 Test: no denials Change-Id: Ie1e0313c73c02a73558d07ccb70de02bfe8c231e

commit: fd54803f0b2865735c51987baf4b80011bc5be5c [log] [tgz]
author: Martijn Coenen <maco@google.com> Wed Feb 19 17:10:43 2020 +0100
committer: Martijn Coenen <maco@google.com> Wed Feb 19 17:24:24 2020 +0100
tree: bd4ea26603a4b5485f0bafc3a3a7f8b211fa41f4
parent: 2ddfad3709f6499f87e162eb803256c797e0f634 [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f08f516..66e9f69 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -186,7 +186,6 @@
 neverallow all_untrusted_apps {
   proc
   proc_asound
-  proc_filesystems
   proc_kmsg
   proc_loadavg
   proc_mounts
@@ -200,6 +199,10 @@
   proc_vmstat
 }:file { no_rw_file_perms no_x_file_perms };
 
+# /proc/filesystems is accessible to mediaprovider_app only since it handles
+# external storage
+neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
+
 # Avoid all access to kernel configuration
 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
commit	fd54803f0b2865735c51987baf4b80011bc5be5c	[log] [tgz]
author	Martijn Coenen <maco@google.com>	Wed Feb 19 17:10:43 2020 +0100
committer	Martijn Coenen <maco@google.com>	Wed Feb 19 17:24:24 2020 +0100
tree	bd4ea26603a4b5485f0bafc3a3a7f8b211fa41f4
parent	2ddfad3709f6499f87e162eb803256c797e0f634 [diff] [blame]