platform_system_sepolicy/private/mediaprovider_app.te

72 lines
2.3 KiB
Text
Raw Normal View History

###
### A domain for further sandboxing the MediaProvider mainline module.
###
type mediaprovider_app, domain, coredomain, bpfdomain;
app_domain(mediaprovider_app)
# Access to /mnt/pass_through.
r_dir_file(mediaprovider_app, mnt_pass_through_file)
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
# Allow MediaProvider to read/write media_rw_data_file files and dirs
Restrict creating per-user encrypted directories Creating a per-user encrypted directory such as /data/system_ce/0 and the subdirectories in it too early has been a recurring bug. Typically, individual services in system_server are to blame; system_server has permission to create these directories, and it's easy to write "mkdirs()" instead of "mkdir()". Such bugs are very bad, as they prevent these directories from being encrypted, as encryption policies can only be set on empty directories. Due to recent changes, a factory reset is now forced in such cases, which helps detect these bugs; however, it would be much better to prevent them in the first place. This CL locks down the ability to create these directories to just vold and init, or to just vold when possible. This is done by assigning new types to the directories that contain these directories, and then only allowing the needed domains to write to these parent directories. This is similar to what https://r.android.com/1117297 did for /data itself. Three new types are used instead of just one, since these directories had three different types already (system_data_file, media_rw_data_file, vendor_data_file), and this allows the policy to be a bit more precise. A significant limitation is that /data/user/0 is currently being created by init during early boot. Therefore, this CL doesn't help much for /data/user/0, though it helps a lot for the other directories. As the next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this CL is needed regardless of whether we're able to do that. Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then created and deleted a user. Used 'ls -lZ' to check the relevant SELinux labels on both internal and adoptable storage. Also did similar tests on raven, with the addition of going through the setup wizard and using an app that creates media files. No relevant SELinux denials seen during any of this. Bug: 156305599 Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
allow mediaprovider_app media_userdir_file:dir r_dir_perms;
allow mediaprovider_app media_rw_data_file:file create_file_perms;
allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
# Talk to the DRM service
allow mediaprovider_app drmserver_service:service_manager find;
# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;
# Talk to the AudioServer service
allow mediaprovider_app audioserver_service:service_manager find;
# Talk to the MediaCodec APIs that log media metrics
allow mediaprovider_app mediametrics_service:service_manager find;
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
# Talk to statsd
allow mediaprovider_app statsmanager_service:service_manager find;
binder_call(mediaprovider_app, statsd)
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
# Allow MediaProvider to set extended attributes (such as quota project ID)
# on media files.
allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
};
# Access external sdcards through /mnt/media_rw
allow mediaprovider_app { mnt_media_rw_file }:dir search;
allow mediaprovider_app proc_filesystems:file r_file_perms;
#Allow MediaProvider to see if sdcardfs is in use
get_prop(mediaprovider_app, storage_config_prop)
get_prop(mediaprovider_app, drm_service_config_prop)
allow mediaprovider_app gpu_device:chr_file rw_file_perms;
allow mediaprovider_app gpu_device:dir r_dir_perms;
dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
# bpfprog access for FUSE BPF
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };