sepolicy: New type sdcard_posix for labeled filesystems

* Need this because sdcard_external is an alias for vfat Change-Id: I804ebb0fcf643d603b1a02ee7a54e6d5b6b46294
TeslaOS · Dec 13, 2014 · 00e4df3 · 00e4df3
1 parent 3126224
commit 00e4df3
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 1 deletion.
diff --git a/domain.te b/domain.te
@@ -295,7 +295,7 @@ neverallow { domain -recovery } rootfs:file { create write setattr relabelto app
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
-neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
+neverallow domain {fs_type -contextmount_type -sdcard_posix}:filesystem relabelto;
 
 # Ensure that context mount types are not writable, to ensure that
 # the write to /system restriction above is not bypassed via context=

diff --git a/file.te b/file.te
@@ -31,6 +31,7 @@ type shm, fs_type;
 type mqueue, fs_type;
 type fuse, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
+type sdcard_posix, sdcard_type, fs_type, mlstrustedobject;
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
 type debugfs, fs_type, mlstrustedobject;

diff --git a/vold.te b/vold.te
@@ -13,6 +13,7 @@ allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
 allow vold sdcard_type:dir mounton;
 allow vold sdcard_type:filesystem { mount remount unmount };
+allow vold sdcard_posix:filesystem { relabelto relabelfrom };
 allow vold sdcard_type:dir create_dir_perms;
 allow vold sdcard_type:file create_file_perms;
 allow vold tmpfs:filesystem { mount unmount };