vendor: sepolicy update
-changes for sdcard (from CM)
-changes for exfat OTG
Change-Id: I617d0188d53797866b71db0dbcbfc27bf3e35aa1
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 18780db..bc2fbef 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -5,3 +5,7 @@
#type sysfs_ioscheduler, fs_type, sysfs_type;
#type sysfs_zram, fs_type, sysfs_type;
#type sysfs_ksm, fs_type, sysfs_type;
+# Filesystems
+type exfat, sdcard_type, fs_type, mlstrustedobject;
+#type fuse_device, sdcard_type, fs_type, mlstrustedobject;
+type ntfs, sdcard_type, fs_type, mlstrustedobject;
diff --git a/sepolicy/fsck_untrusted.te b/sepolicy/fsck_untrusted.te
index 5d12f76..d835967 100644
--- a/sepolicy/fsck_untrusted.te
+++ b/sepolicy/fsck_untrusted.te
@@ -1,2 +1,10 @@
# External storage
allow fsck_untrusted self:capability sys_admin;
+
+#OTG Mount
+allow fsck_untrusted mnt_media_rw_stub_file:dir { rw_file_perms mounton };
+allow fsck_untrusted mnt_media_rw_file:dir rw_dir_perms;
+allow fsck_untrusted mnt_media_rw_file:file rw_file_perms;
+allow fsck_untrusted fuse_device:chr_file { read write open getattr };
+allow fsck_untrusted fuse_device:filesystem mount;
+
diff --git a/sepolicy/fuse_device.te b/sepolicy/fuse_device.te
new file mode 100644
index 0000000..b8e1631
--- /dev/null
+++ b/sepolicy/fuse_device.te
@@ -0,0 +1,6 @@
+###########################
+# OmniROM common sepolicy
+
+#Exfat OTG
+allow fuse_device self:filesystem associate;
+
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
index 707592e..1dbd632 100644
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts
@@ -3,6 +3,6 @@
#
# treat fuseblk as sdcard_external
-#genfscon fuseblk / u:object_r:sdcard_external:s0
-#genfscon exfat / u:object_r:sdcard_external:s0
-#genfscon ntfs / u:object_r:sdcard_external:s0
+genfscon fuseblk / u:object_r:fuse_device:s0
+genfscon exfat / u:object_r:exfat:s0
+genfscon ntfs / u:object_r:ntfs:s0
diff --git a/sepolicy/installd.te b/sepolicy/installd.te
index 449d35b..47f0c52 100644
--- a/sepolicy/installd.te
+++ b/sepolicy/installd.te
@@ -1,4 +1,3 @@
# Allow querying of asec size on SD card
-#allow installd sdcard_external:dir { search };
-#allow installd sdcard_external:file { getattr };
-
+allow installd sdcard_type:dir { search };
+allow installd sdcard_type:file { getattr };
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..37c3537
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1,6 @@
+###########################
+# OmniROM common sepolicy
+
+#exfat OTG
+allow mediaserver fuse_device:file { read getattr };
+
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index 5cd18a3..9a4b58e 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -8,3 +8,8 @@
# gallery2 crop avatar
#allow platform_app system_app_data_file:file { create_file_perms rw_file_perms };
+#exfat/ntfs OTG
+allow platform_app fuse_device:dir { rw_dir_perms create_dir_perms };
+allow platform_app fuse_device:file { rw_file_perms create_file_perms };
+allow platform_app fuse_device:filesystem getattr;
+
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
new file mode 100644
index 0000000..b5a1a21
--- /dev/null
+++ b/sepolicy/untrusted_app.te
@@ -0,0 +1,8 @@
+###########################
+# OmniROM common sepolicy
+
+# exfat OTG
+userdebug_or_eng(`allow untrusted_app mnt_media_rw_file:dir getattr;'
+`allow untrusted_app asec_apk_file:dir getattr;'
+`allow untrusted_app fuse_device:file { getattr read };')
+
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index fdbbd47..1a1d1ad 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -5,7 +5,7 @@
domain_trans(init, rootfs, vold)
# Allow vold to manage ASEC
-#allow vold sdcard_external:file create_file_perms;
+allow vold sdcard_type:file create_file_perms;
allow vold vold_tmpfs:file create_file_perms;
# Allow vold to access fuse for fuse-based fs
@@ -13,10 +13,11 @@
# NTFS-3g wants to drop permission
allow vold self:capability { setgid setuid };
-
# External storage
allow vold storage_stub_file:dir { rw_file_perms search add_name };
allow vold mnt_media_rw_stub_file:dir r_dir_perms;
-allow vold mkfs_exec:file { execute read open execute_no_trans };
+allow vold mkfs_exec:file { execute read open getattr execute_no_trans };
+allow vold fuse_device:dir getattr;
+allow vold fuse_device:filesystem unmount;