Confine all app domains, but make them permissive for now.
As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.
Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/media_app.te b/media_app.te
index 1fe06dd..5f09a63 100644
--- a/media_app.te
+++ b/media_app.te
@@ -3,10 +3,27 @@
###
type media_app, domain;
+permissive media_app;
app_domain(media_app)
platform_app_domain(media_app)
# Access the network.
net_domain(media_app)
-unconfined_domain(media_app)
+# Access /dev/mtp_usb.
+allow media_app mtp_device:chr_file rw_file_perms;
+# Write to /cache.
+allow media_app cache_file:dir rw_dir_perms;
+allow media_app cache_file:file create_file_perms;
+# Stat /cache/lost+found
+allow media_app unlabeled:file getattr;
+allow media_app unlabeled:dir getattr;
+# Stat /cache/backup
+allow media_app cache_backup_file:file getattr;
+allow media_app cache_backup_file:dir getattr;
+# Read files in the rootdir (in particular, file_contexts for restorecon).
+allow media_app rootfs:file r_file_perms;
+allow media_app download_file:dir rw_dir_perms;
+allow media_app download_file:file create_file_perms;
+# Allow platform apps to mark platform app data files as download files
relabelto_domain(media_app)
+allow media_app platform_app_data_file:dir relabelfrom;
allow media_app download_file:dir relabelto;