Move MediaProvider to its own domain, add new MtpServer permissions
Also move necessary priv_app permissions into MediaProvider domain and
remove MediaProvider specific permissions from priv_app.
The new MtpServer permissions fix the following denials:
avc: denied { write } for comm=6D747020666673206F70656E name="ep0" dev="functionfs" ino=12326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1
denial from setting property sys.usb.ffs.mtp.ready, context priv_app
Bug: 30976142
Test: Manual, verify permissions are allowed
Change-Id: I4e66c5a8b36be21cdb726b5d00c1ec99c54a4aa4
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 87efe0e..1fcd2a4 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -51,4 +51,9 @@
<seinfo value="platform" />
</signer>
+ <!-- Media key in AOSP -->
+ <signer signature="@MEDIA" >
+ <seinfo value="media" />
+ </signer>
+
</policy>
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
new file mode 100644
index 0000000..a0ac029
--- /dev/null
+++ b/private/mediaprovider.te
@@ -0,0 +1 @@
+app_domain(mediaprovider)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 6349a97..1289001 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -93,6 +93,7 @@
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=ephemeral_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user