omni: sepolicy: Add posix-type fs rules for sdcards. Everything below holds for sdcards formatted with a ext4 / f2fs or alike filesystem. * Allow filesystem context relabeling from vold that is required to set the correct context. * Grant access to the sdcard for untrusted_app, untrusted_app_25, priv_app, and platform_app. * Label files & dirs below a corresponding sdcard with sdcard_posix (set in genfscontext). * Allow installd to get the quota. * Allow sdcard access for the mediaprovider. Change-Id: I7b0347010e7bc11a461b0120f75095d5d6ad0c70 Signed-off-by: Alexander Diewald <Diewi@diewald-net.com>

commit: 259f938886e526bbbedc90430e135299336a4501 [log] [tgz]
author: Alexander Diewald <Diewi@diewald-net.com> Thu Jan 25 22:44:48 2018 +0100
committer: Max Weninger <max.weninger@gmail.com> Mon Feb 19 19:02:53 2018 +0100
tree: 0ba191a71e2d49b0dbab5c2d68e051f6f56b7c71
parent: 55b111e47441c8b0602e1fd0b97e14954ed5f8d7 [diff]
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
index 1dbd632..a9d564a 100644
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts

@@ -6,3 +6,4 @@
 genfscon fuseblk / u:object_r:fuse_device:s0
 genfscon exfat / u:object_r:exfat:s0
 genfscon ntfs / u:object_r:ntfs:s0
+genfscon sdcard_posix / u:object_r:sdcard_posix:s0

diff --git a/sepolicy/installd.te b/sepolicy/installd.te
index 47f0c52..cef2730 100644
--- a/sepolicy/installd.te
+++ b/sepolicy/installd.te

@@ -1,3 +1,4 @@
 # Allow querying of asec size on SD card
 allow installd sdcard_type:dir { search };
 allow installd sdcard_type:file { getattr };
+allow installd sdcard_posix:filesystem quotaget;

diff --git a/sepolicy/mediaprovider.te b/sepolicy/mediaprovider.te
new file mode 100644
index 0000000..201692f
--- /dev/null
+++ b/sepolicy/mediaprovider.te

@@ -0,0 +1,6 @@
+###########################
+# OmniROM common sepolicy
+
+# non-fuse sdcard mediaprovider access
+allow mediaprovider sdcard_posix:dir r_dir_perms;
+allow mediaprovider sdcard_posix:file r_file_perms;

diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 37c3537..356219e 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te

@@ -3,4 +3,3 @@
 
 #exfat OTG
 allow mediaserver fuse_device:file { read getattr };
-

diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index 4e9ce97..bb66d50 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te

@@ -22,3 +22,5 @@
 allow platform_app exfat:file { rw_file_perms create_file_perms };
 allow platform_app ntfs:dir { rw_dir_perms create_dir_perms };
 allow platform_app ntfs:file { rw_file_perms create_file_perms };
+allow platform_app sdcard_posix:dir create_dir_perms;
+allow platform_app sdcard_posix:file create_file_perms;

diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index d7caf8e..3178323 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te

@@ -6,6 +6,10 @@
 allow priv_app fuse_device:file r_file_perms;
 allow priv_app fuse_device:filesystem { getattr };
 
+# posix-type fs
+allow priv_app sdcard_posix:dir r_dir_perms;
+allow priv_app sdcard_posix:file rw_file_perms;
+
 # MatLog calls dmesg
 allow priv_app kernel:system syslog_read;
 

diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
index c5f618e..49db93c 100644
--- a/sepolicy/untrusted_app.te
+++ b/sepolicy/untrusted_app.te

@@ -6,4 +6,5 @@
 allow untrusted_app asec_apk_file:dir getattr;
 allow untrusted_app fuse_device:file { getattr read write open };
 allow untrusted_app fuse_device:dir { search };
-
+allow untrusted_app sdcard_posix:dir r_dir_perms;
+allow untrusted_app sdcard_posix:file rw_file_perms;

diff --git a/sepolicy/untrusted_app_25.te b/sepolicy/untrusted_app_25.te
index ff56ae7..667c1da 100644
--- a/sepolicy/untrusted_app_25.te
+++ b/sepolicy/untrusted_app_25.te

@@ -2,4 +2,7 @@
 allow untrusted_app asec_apk_file:dir getattr;
 allow untrusted_app fuse_device:file { getattr read write open };
 allow untrusted_app fuse_device:dir { search };
+allow untrusted_app_25 sdcard_posix:dir r_dir_perms;
+allow untrusted_app_25 sdcard_posix:file rw_file_perms;
+
 

diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index 9d05d8b..4ee8613 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te

@@ -23,3 +23,6 @@
 
 allow vold fsck_exec:lnk_file { read };
 
+# Posix sdcard fs relabeling
+allow vold labeledfs:filesystem { relabelfrom relabelto };
+allow vold sdcard_posix:filesystem { relabelfrom relabelto };
commit	259f938886e526bbbedc90430e135299336a4501	[log] [tgz]
author	Alexander Diewald <Diewi@diewald-net.com>	Thu Jan 25 22:44:48 2018 +0100
committer	Max Weninger <max.weninger@gmail.com>	Mon Feb 19 19:02:53 2018 +0100
tree	0ba191a71e2d49b0dbab5c2d68e051f6f56b7c71
parent	55b111e47441c8b0602e1fd0b97e14954ed5f8d7 [diff]