platform_system_sepolicy/private/mediaprovider_app.te

###
### A domain for further sandboxing the MediaProvider mainline module.
###
type mediaprovider_app, domain, coredomain;

app_domain(mediaprovider_app)

# Access to /mnt/pass_through.
allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;

# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };

# Allow MediaProvider to read/write media_rw_data_file files and dirs
allow mediaprovider_app media_rw_data_file:file create_file_perms;
allow mediaprovider_app media_rw_data_file:dir create_dir_perms;

# Talk to the DRM service
allow mediaprovider_app drmserver_service:service_manager find;

# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;

# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;

# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)

# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;

# Allow MediaProvider to set extended attributes (such as quota project ID)
# on media files.
allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
  FS_IOC_FSGETXATTR
  FS_IOC_FSSETXATTR
  FS_IOC_GETFLAGS
  FS_IOC_SETFLAGS
};
Create new mediaprovider_app domain. This is a domain for the MediaProvider mainline module. The MediaProvider process is responsible for managing external storage, and as such should be able to have full read/write access to it. It also hosts a FUSE filesystem that allows other apps to access said storage in a safe way. Finally, it needs to call some ioctl's to set project quota on the lower filesystem correctly. Bug: 141595441 Test: builds, mediaprovider module gets the correct domain Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548 2020-01-30 16:52:45 +01:00			`###`
			`### A domain for further sandboxing the MediaProvider mainline module.`
			`###`
			`type mediaprovider_app, domain, coredomain;`

			`app_domain(mediaprovider_app)`

			`# Access to /mnt/pass_through.`
			`allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;`

			`# Allow MediaProvider to host a FUSE daemon for external storage`
			`allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };`

			`# Allow MediaProvider to read/write media_rw_data_file files and dirs`
			`allow mediaprovider_app media_rw_data_file:file create_file_perms;`
			`allow mediaprovider_app media_rw_data_file:dir create_dir_perms;`

			`# Talk to the DRM service`
			`allow mediaprovider_app drmserver_service:service_manager find;`

			`# Talk to the MediaServer service`
			`allow mediaprovider_app mediaserver_service:service_manager find;`

			`# Talk to regular app services`
			`allow mediaprovider_app app_api_service:service_manager find;`

			`# Talk to the GPU service`
			`binder_call(mediaprovider_app, gpuservice)`

			`# read pipe-max-size configuration`
			`allow mediaprovider_app proc_pipe_conf:file r_file_perms;`

			`# Allow MediaProvider to set extended attributes (such as quota project ID)`
			`# on media files.`
			`allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {`
			`FS_IOC_FSGETXATTR`
			`FS_IOC_FSSETXATTR`
			`FS_IOC_GETFLAGS`
			`FS_IOC_SETFLAGS`
			`};`