Split mediaprovider as a separate domain from priv_app
MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.
Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases
Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5e47b68..6470b0e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -5,7 +5,7 @@
# Only allow domains in AOSP to use the untrusted_app_all attribute.
neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
-define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
+define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app mediaprovider }')
# Receive or send uevent messages.
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
@@ -23,9 +23,9 @@
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
-neverallow all_untrusted_apps property_socket:sock_file write;
-neverallow all_untrusted_apps init:unix_stream_socket connectto;
-neverallow all_untrusted_apps property_type:property_service set;
+neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
+neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
+neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
@@ -63,15 +63,15 @@
} *;
# Do not allow untrusted apps access to /cache
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
-neverallow all_untrusted_apps {
+neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-fuse # sdcard
-sdcardfs # sdcard
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
new file mode 100644
index 0000000..4be6401
--- /dev/null
+++ b/private/mediaprovider.te
@@ -0,0 +1,34 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+typeattribute mediaprovider coredomain;
+app_domain(mediaprovider)
+
+# DownloadProvider accesses the network.
+net_domain(mediaprovider)
+
+# DownloadProvider uses /cache.
+allow mediaprovider cache_file:dir create_dir_perms;
+allow mediaprovider cache_file:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow mediaprovider cache_file:lnk_file r_file_perms;
+
+allow mediaprovider app_api_service:service_manager find;
+allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider mediaserver_service:service_manager find;
+allow mediaprovider surfaceflinger_service:service_manager find;
+
+# Allow MediaProvider to read/write cached ringtones (opened by system).
+allow mediaprovider ringtone_file:file { getattr read write };
+
+# MtpServer uses /dev/mtp_usb
+allow mediaprovider mtp_device:chr_file rw_file_perms;
+
+# MtpServer uses /dev/usb-ffs/mtp
+allow mediaprovider functionfs:dir search;
+allow mediaprovider functionfs:file rw_file_perms;
+
+# MtpServer sets sys.usb.ffs.mtp.ready
+set_prop(mediaprovider, ffs_prop)
diff --git a/private/priv_app.te b/private/priv_app.te
index 38ce673..0eac99e 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -100,20 +100,6 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
-# TODO: revert this as part of fixing 33574909
-# android.process.media uses /dev/mtp_usb
-allow priv_app mtp_device:chr_file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# MtpServer uses /dev/usb-ffs/mtp
-allow priv_app functionfs:dir search;
-allow priv_app functionfs:file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow priv_app mnt_media_rw_file:dir search;
-
read_runtime_log_tags(priv_app)
###
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 4356889..dc7e389 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -102,6 +102,7 @@
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user