Merge "Allow update_engine to write snapshotctl log data"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 677b9e2..f08f516 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -6,6 +6,7 @@
ephemeral_app
isolated_app
mediaprovider
+ mediaprovider_app
untrusted_app
untrusted_app_25
untrusted_app_27
@@ -145,8 +146,8 @@
')
}:dir_file_class_set { create unlink };
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
+# No untrusted component except mediaprovider_app should be touching /dev/fuse
+neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
new file mode 100644
index 0000000..a07fc2d
--- /dev/null
+++ b/private/mediaprovider_app.te
@@ -0,0 +1,40 @@
+###
+### A domain for further sandboxing the MediaProvider mainline module.
+###
+type mediaprovider_app, domain, coredomain;
+
+app_domain(mediaprovider_app)
+
+# Access to /mnt/pass_through.
+allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
+
+# Allow MediaProvider to host a FUSE daemon for external storage
+allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
+
+# Allow MediaProvider to read/write media_rw_data_file files and dirs
+allow mediaprovider_app media_rw_data_file:file create_file_perms;
+allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
+
+# Talk to the DRM service
+allow mediaprovider_app drmserver_service:service_manager find;
+
+# Talk to the MediaServer service
+allow mediaprovider_app mediaserver_service:service_manager find;
+
+# Talk to regular app services
+allow mediaprovider_app app_api_service:service_manager find;
+
+# Talk to the GPU service
+binder_call(mediaprovider_app, gpuservice)
+
+# read pipe-max-size configuration
+allow mediaprovider_app proc_pipe_conf:file r_file_perms;
+
+# Allow MediaProvider to set extended attributes (such as quota project ID)
+# on media files.
+allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
diff --git a/private/priv_app.te b/private/priv_app.te
index 643c06f..74930ee 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -60,9 +60,6 @@
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
-# Access to /mnt/pass_through.
-allow priv_app mnt_pass_through_file:dir r_dir_perms;
-
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index fed4325..6c3b607 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -158,6 +158,8 @@
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 94b0e8d..2c0e470 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -295,6 +295,9 @@
# Allow dumpstate to run ss
allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+# Allow dumpstate to read linkerconfig directory
+allow dumpstate linkerconfig_file:dir { read open };
+
# For when dumpstate runs df
dontaudit dumpstate {
mnt_vendor_file
diff --git a/public/property.te b/public/property.te
index a612e74..f30663a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -57,7 +57,6 @@
system_internal_prop(time_prop)
system_internal_prop(traced_enabled_prop)
system_internal_prop(traced_lazy_prop)
- system_internal_prop(virtual_ab_prop)
')
# Properties which can't be written outside system
@@ -151,6 +150,7 @@
system_public_prop(userspace_reboot_config_prop)
system_public_prop(vehicle_hal_prop)
system_public_prop(vendor_security_patch_level_prop)
+system_public_prop(virtual_ab_prop)
system_public_prop(vndk_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
@@ -196,7 +196,6 @@
system_public_prop(time_prop)
system_public_prop(traced_enabled_prop)
system_public_prop(traced_lazy_prop)
- system_public_prop(virtual_ab_prop)
system_public_prop(config_prop)
system_public_prop(cppreopt_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0be16f6..935c314 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -238,6 +238,7 @@
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
+set_prop(vendor_init, virtual_ab_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)