[1/2] vendor: sepolicy: external sdcard rodeo sepolicy changes required and add all ntfs and exfat tools to build big thanks to CM Change-Id: I6b6581b4d6a9fc3ad200c4a6c63e265521f9859d

commit: 85c37d6413c4b54be379a49ba4d3dd8ec77a1732 [log] [tgz]
author: maxwen <max.weninger@gmail.com> Fri Feb 26 03:45:57 2016 +0100
committer: maxwen <max.weninger@gmail.com> Fri Feb 26 19:24:22 2016 +0100
tree: b73f5e9cd0caea0d0c6588a4691fc50c4c8629cf
parent: ee0bfc5167aeed5728fa4fb5fd6e50166e6b7844 [diff]
diff --git a/config/packages.mk b/config/packages.mk
index d1b1656..733269e 100644
--- a/config/packages.mk
+++ b/config/packages.mk

@@ -33,14 +33,13 @@
     htop \
     lsof \
     mke2fs \
-    mkfs.exfat \
     mount.exfat \
     nano \
     openvpn \
     powertop \
     tune2fs \
     vim \
-    ntfsfix \
-    ntfs-3g \
-    mkntfs
+    mkfs.ntfs \
+    mount.ntfs \
+    fsck.ntfs
 

diff --git a/sepolicy/app.te b/sepolicy/app.te
new file mode 100644
index 0000000..ab082a9
--- /dev/null
+++ b/sepolicy/app.te

@@ -0,0 +1,5 @@
+# Access OBBs (sdcard_posix) mounted by vold
+# File write access allowed for FDs returned through Storage Access Framework
+allow appdomain sdcard_posix:dir r_dir_perms;
+allow appdomain sdcard_posix:file rw_file_perms;
+

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 0723c8d..fab68a8 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts

@@ -13,3 +13,12 @@
 /system/bin/sysinit u:object_r:sysinit_exec:s0
 /system/etc/init.d/90userinit u:object_r:userinit_exec:s0
 /data/local/userinit.sh u:object_r:userinit_data_exec:s0
+
+# mkfs
+/system/bin/mkfs\.exfat   u:object_r:mkfs_exec:s0
+/system/bin/mkfs\.f2fs    u:object_r:mkfs_exec:s0
+/system/bin/mkfs\.ntfs    u:object_r:mkfs_exec:s0
+
+# fsck
+/system/bin/fsck\.ntfs                          u:object_r:fsck_exec:s0
+/system/bin/mount\.exfat                         u:object_r:fsck_exec:s0

diff --git a/sepolicy/fsck_untrusted.te b/sepolicy/fsck_untrusted.te
new file mode 100644
index 0000000..5d12f76
--- /dev/null
+++ b/sepolicy/fsck_untrusted.te

@@ -0,0 +1,2 @@
+# External storage
+allow fsck_untrusted self:capability sys_admin;

diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
index 7c9f694..c2f47fb 100644
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts

@@ -4,3 +4,5 @@
 
 # treat fuseblk as sdcard_external
 genfscon fuseblk / u:object_r:sdcard_external:s0
+genfscon exfat / u:object_r:sdcard_external:s0
+genfscon ntfs / u:object_r:sdcard_external:s0

diff --git a/sepolicy/mkfs.te b/sepolicy/mkfs.te
new file mode 100644
index 0000000..fe7c61b
--- /dev/null
+++ b/sepolicy/mkfs.te

@@ -0,0 +1,9 @@
+type mkfs, domain;
+type mkfs_exec, exec_type, file_type;
+
+init_daemon_domain(mkfs)
+
+# Allow formatting userdata or cache partitions
+allow mkfs block_device:dir search;
+allow mkfs userdata_block_device:blk_file rw_file_perms;
+allow mkfs cache_block_device:blk_file rw_file_perms;

diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
new file mode 100644
index 0000000..db8647d
--- /dev/null
+++ b/sepolicy/platform_app.te

@@ -0,0 +1,4 @@
+# Direct access to vold-mounted storage under /mnt/media_rw
+# This is a performance optimization that allows platform apps to bypass the FUSE layer
+allow platform_app sdcard_posix:dir create_dir_perms;
+allow platform_app sdcard_posix:file create_file_perms;

diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..f4c31eb
--- /dev/null
+++ b/sepolicy/system_server.te

@@ -0,0 +1 @@
+allow system_server storage_stub_file:dir { getattr };

diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index f77801f..14b4d34 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te

@@ -6,9 +6,17 @@
 
 # Allow vold to manage ASEC
 allow vold sdcard_external:file create_file_perms;
+allow vold vold_tmpfs:file create_file_perms;
 
 # Allow vold to access fuse for fuse-based fs
 allow vold fuse_device:chr_file rw_file_perms;
 
 # NTFS-3g wants to drop permission
 allow vold self:capability { setgid setuid };
+
+# External storage
+allow vold storage_stub_file:dir { rw_file_perms search add_name };
+allow vold mnt_media_rw_stub_file:dir r_dir_perms;
+allow vold mkfs_exec:file { execute read open execute_no_trans };
+
+
commit	85c37d6413c4b54be379a49ba4d3dd8ec77a1732	[log] [tgz]
author	maxwen <max.weninger@gmail.com>	Fri Feb 26 03:45:57 2016 +0100
committer	maxwen <max.weninger@gmail.com>	Fri Feb 26 19:24:22 2016 +0100
tree	b73f5e9cd0caea0d0c6588a4691fc50c4c8629cf
parent	ee0bfc5167aeed5728fa4fb5fd6e50166e6b7844 [diff]