sepolicy: update vold related sepolicy [2/4]

PD#147260

update vold related sepolicy

Change-Id: If642fdc76e4aa69ef0153ccd1d88f019214b2236

10 files changed, 27 insertions, 2 deletions

diff --git a/common/products/mbox/product_mbox.mk b/common/products/mbox/product_mbox.mk
index de66ae3..0b2614e 100644
--- a/common/products/mbox/product_mbox.mk
+++ b/common/products/mbox/product_mbox.mk
@@ -27,7 +27,9 @@ PRODUCT_PACKAGES += \
     MboxLauncher
 endif
 
-
+#droid vold
+PRODUCT_PACKAGES += \
+    droidvold
 
 # Camera Hal
 PRODUCT_PACKAGES += \
diff --git a/common/products/tv/product_tv.mk b/common/products/tv/product_tv.mk
index 88b15e7..fa63ecb 100644
--- a/common/products/tv/product_tv.mk
+++ b/common/products/tv/product_tv.mk
@@ -59,6 +59,9 @@ PRODUCT_PACKAGES += \
     MboxLauncher
 endif
 
+#droid vold
+PRODUCT_PACKAGES += \
+    droidvold
 
 # Camera Hal
 PRODUCT_PACKAGES += \
diff --git a/common/sepolicy/blkid_untrusted.te b/common/sepolicy/blkid_untrusted.te
index 4f59927..5b9318e 100644
--- a/common/sepolicy/blkid_untrusted.te
+++ b/common/sepolicy/blkid_untrusted.te
@@ -1,2 +1,4 @@
 # blkid for untrusted block devices
 allow blkid_untrusted vold_block_device:blk_file { getattr read open ioctl };
+allow blkid_untrusted sda_block_device:blk_file { r_file_perms getattr };
+allow blkid_untrusted vold:unix_stream_socket { read write };
diff --git a/common/sepolicy/file_contexts b/common/sepolicy/file_contexts
index b75fc37..ec2b5e0 100644
--- a/common/sepolicy/file_contexts
+++ b/common/sepolicy/file_contexts
@@ -45,6 +45,7 @@
 /dev/block/mmcblk[0-9]  		u:object_r:sda_block_device:s0
 /dev/block/mmcblk[0-9]p(.*)	u:object_r:sda_block_device:s0
 /dev/block/mmcblk[0-9]rpmb 	u:object_r:sda_block_device:s0
+/dev/block/droidvold/.+     u:object_r:vold_device:s0
 
 /dev/bootloader     				u:object_r:bootloader_device:s0
 /dev/btusb0         				u:object_r:hci_attach_dev:s0
@@ -121,6 +122,7 @@
 /vendor/bin/usbtestpm       u:object_r:usbpm_exec:s0
 /vendor/bin/wlan_fwloader   u:object_r:wlan_fwloader_exec:s0
 /vendor/xbin/bcmdl   				u:object_r:bcmdl_exec:s0
+/vendor/bin/droidvold       u:object_r:vold_exec:s0
 
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service.droidlogic      u:object_r:hal_dumpstate_default_exec:s0
 
diff --git a/common/sepolicy/fsck_untrusted.te b/common/sepolicy/fsck_untrusted.te
index 2a9adea..3eda53a 100644
--- a/common/sepolicy/fsck_untrusted.te
+++ b/common/sepolicy/fsck_untrusted.te
@@ -1 +1,3 @@
 allow fsck_untrusted vold_block_device:blk_file { getattr read write open ioctl };
+allow fsck_untrusted sda_block_device:blk_file { create getattr read write open ioctl };
+allow fsck_untrusted vold:unix_stream_socket { read write };
diff --git a/common/sepolicy/kernel.te b/common/sepolicy/kernel.te
index 20c71ee..0856d03 100644
--- a/common/sepolicy/kernel.te
+++ b/common/sepolicy/kernel.te
@@ -1,4 +1,4 @@
 allow kernel self:capability mknod;
 allow kernel device:blk_file { ioctl read write create getattr setattr unlink };
 allow kernel device:dir {rw_file_perms rw_dir_perms write create};
-allow kernel device:chr_file { setattr create };
+allow kernel device:chr_file { getattr setattr create };
diff --git a/common/sepolicy/sdcardd.te b/common/sepolicy/sdcardd.te
index 5f0a4b1..88c5b2e 100644
--- a/common/sepolicy/sdcardd.te
+++ b/common/sepolicy/sdcardd.te
@@ -1,2 +1,8 @@
 allow sdcardd mnt_media_rw_file:dir create_dir_perms;
 allow sdcardd mnt_media_rw_file:file create_file_perms;
+
+allow sdcardd vold:unix_stream_socket { read write };
+
+# for exfat
+allow sdcardd unlabeled:dir { open read write getattr search };
+allow sdcardd unlabeled:file { open read write getattr };
diff --git a/common/sepolicy/sgdisk.te b/common/sepolicy/sgdisk.te
index 2bca927..05ab6b4 100644
--- a/common/sepolicy/sgdisk.te
+++ b/common/sepolicy/sgdisk.te
@@ -1,3 +1,4 @@
 allow sgdisk kernel:system module_request;
 
 allow sgdisk vold_block_device:blk_file { create getattr read write open ioctl };
+allow sgdisk vold:unix_stream_socket { read write };
diff --git a/common/sepolicy/system_server.te b/common/sepolicy/system_server.te
index cbdc1d3..2baf4bc 100644
--- a/common/sepolicy/system_server.te
+++ b/common/sepolicy/system_server.te
@@ -27,3 +27,6 @@ allow system_server { system_app platform_app untrusted_app priv_app }:file { wr
 allow system_server uhid_device:chr_file {write open ioctl};
 allow system_server dvb_device:chr_file rw_file_perms;
 allow system_server uhid_device:chr_file { write open ioctl };
+
+allow system_server socket_device:sock_file { read write open };
+
diff --git a/common/sepolicy/vold.te b/common/sepolicy/vold.te
index 9f260ca..b260868 100644
--- a/common/sepolicy/vold.te
+++ b/common/sepolicy/vold.te
@@ -15,6 +15,7 @@ domain_auto_trans(vold, vold_ext_exec, vold_ext)
 allow vold vold_ext_exec:file { execute read open execute_no_trans };
 allow vold kernel:system module_request;
 allow vold mnt_media_rw_stub_file:dir { r_dir_perms mounton };
+allow vold sda_block_device:blk_file rw_file_perms;
 
 #for dig
 allow vold cache_file:file create_file_perms;
@@ -36,3 +37,6 @@ allow vold apk_data_file:dir { getattr open read };
 
 #for hw keymaster
 allow vold drm_device:chr_file  {open read write ioctl};
+
+#for exfat, temporary way
+allow vold unlabeled:filesystem { mount unmount };