commit f921dd9cad64bda6433b52b8c99ea8756819ef1b
author Jerry Zhang <zhangjerry@google.com> Thu Sep 22 11:07:50 2016 -0700
committer Jerry Zhang <zhangjerry@google.com> Mon Dec 12 11:05:33 2016 -0800
tree 40fcf6abe88dc4c0bd06db358b00d1ebe9083605
parent 9f1e2b53fb0fae51c8fc3c4a53b81eb926d9cb14

Move MediaProvider to its own domain, add new MtpServer permissions

Also move necessary priv_app permissions into MediaProvider domain and
remove MediaProvider specific permissions from priv_app.

The new MtpServer permissions fix the following denials:

avc: denied { write } for comm=6D747020666673206F70656E name="ep0" dev="functionfs" ino=12326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1

denial from setting property sys.usb.ffs.mtp.ready, context priv_app

Bug: 30976142
Test: Manual, verify permissions are allowed
Change-Id: I4e66c5a8b36be21cdb726b5d00c1ec99c54a4aa4

public/mediaprovider.te

diff --git a/public/mediaprovider.te b/public/mediaprovider.te
new file mode 100644
index 0000000..f34410b
--- /dev/null
+++ b/public/mediaprovider.te
@@ -0,0 +1,50 @@
+type mediaprovider, domain;
+
+# MtpServer uses /dev/mtp_usb
+allow mediaprovider mtp_device:chr_file rw_file_perms;
+
+# MtpServer uses /dev/usb-ffs/mtp
+allow mediaprovider functionfs:dir search;
+allow mediaprovider functionfs:file rw_file_perms;
+
+# MtpServer sets sys.usb.ffs.mtp.ready
+set_prop(mediaprovider, ffs_prop)
+
+allow mediaprovider mediacodec_service:service_manager find;
+allow mediaprovider mediadrmserver_service:service_manager find;
+allow mediaprovider mediaextractor_service:service_manager find;
+allow mediaprovider mediaserver_service:service_manager find;
+allow mediaprovider app_api_service:service_manager find;
+allow mediaprovider system_api_service:service_manager find;
+
+# /sys and /proc access
+r_dir_file(mediaprovider, sysfs_type)
+r_dir_file(mediaprovider, proc)
+r_dir_file(mediaprovider, rootfs)
+
+# Access to /data/preloads
+allow mediaprovider preloads_data_file:file r_file_perms;
+
+###
+### neverallow rules (see corresponding rules in priv_app)
+###
+
+# Receive or send uevent messages.
+neverallow mediaprovider domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow mediaprovider domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow mediaprovider debugfs:file read;
+
+# Only trusted components of Android should be registering
+# services.
+neverallow mediaprovider service_manager_type:service_manager add;
+
+# Do not allow mediaprovider to be assigned mlstrustedsubject.
+neverallow mediaprovider mlstrustedsubject:process fork;
+
+# Do not allow mediaprovider to hard link to any files.
+neverallow mediaprovider file_type:file link;