Label /data/media with its own type and allow access.
/data/media presently is left in system_data_file, which requires
anything that wants to write to it to be able to write to system_data_file.
Introduce a new type for /data/media, media_rw_data_file (to match
the media_rw UID assigned to it and distinguish it from /data/misc/media
which has media UID and media_data_file type), and allow access to it.
We allow this for all platform app domains as WRITE_MEDIA_STORAGE permission is granted
to signature|system. We should not have to allow it to untrusted_app.
Set up type transitions in sdcardd to automatically label any directories
or files it creates with the new type.
Change-Id: I5c7e6245b854a9213099e40a41d9583755d37d42
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/sdcardd.te b/sdcardd.te
index 25d1246..f9e72b7 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -3,3 +3,7 @@
init_daemon_domain(sdcardd)
unconfined_domain(sdcardd)
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
+allow sdcardd media_rw_data_file:dir create_dir_perms;
+allow sdcardd media_rw_data_file:file create_file_perms;