commit 9f152d98eaab9f85993a638394f280abc98e0d79
author Jerry Zhang <zhangjerry@google.com> Mon Apr 10 16:57:48 2017 -0700
committer Jerry Zhang <zhangjerry@google.com> Mon Apr 17 15:30:35 2017 -0700
tree d5bae02046c384137969a622b940e6d68ea9a5ab
parent 5ab5cfbae4e929a6616edc554a1239cc1eb66248

Split mediaprovider as a separate domain from priv_app

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5e47b68..6470b0e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -5,7 +5,7 @@
 # Only allow domains in AOSP to use the untrusted_app_all attribute.
 neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
 
-define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
+define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app mediaprovider }')
 # Receive or send uevent messages.
 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
 
@@ -23,9 +23,9 @@
 
 # Do not allow untrusted apps to connect to the property service
 # or set properties. b/10243159
-neverallow all_untrusted_apps property_socket:sock_file write;
-neverallow all_untrusted_apps init:unix_stream_socket connectto;
-neverallow all_untrusted_apps property_type:property_service set;
+neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
+neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
+neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
 
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
 # This would undermine the per-user isolation model being
@@ -63,15 +63,15 @@
 } *;
 
 # Do not allow untrusted apps access to /cache
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
 
 # Do not allow untrusted apps to create/unlink files outside of its sandbox,
 # internal storage or sdcard.
 # World accessible data locations allow application to fill the device
 # with unaccounted for data. This data will not get removed during
 # application un-installation.
-neverallow all_untrusted_apps {
+neverallow { all_untrusted_apps -mediaprovider } {
   fs_type
   -fuse                     # sdcard
   -sdcardfs                 # sdcard