mbtool's sepolpatch currently adds whichever type /data/media is labeled as to the mlstrustedobject attribute in order to satisfy the following constraint:
However, this doesn't seem to be sufficient. It seems that during sepolicy compilation, the constraint references the affected types directly, rather than through the attribute:
mbtool's sepolpatch currently adds whichever type
/data/media
is labeled as to themlstrustedobject
attribute in order to satisfy the following constraint:https://android.googlesource.com/platform/external/sepolicy/+/android-4.4.4_r2.0.1/mls#91
https://github.com/chenxiaolong/DualBootPatcher/blob/7bb9ef345cb2e95f0b814281e04d3777bfd4665b/mbtool/src/util/sepolpatch.cpp#L1054
However, this doesn't seem to be sufficient. It seems that during sepolicy compilation, the constraint references the affected types directly, rather than through the attribute: