Split mediaprovider from priv_app.

This CL was accidentally reverted a second time by commit:
cb5129f9de.  Submit it for the third,
and final, time.

Bug: 62102757
Test: Builds and boots.

private/app_neverallows.te

@@ -8,12 +8,12 @@ neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process
 define(`all_untrusted_apps',`{
   ephemeral_app
   isolated_app
+  mediaprovider
   untrusted_app
   untrusted_app_25
   untrusted_app_all
   untrusted_v2_app
 }')
-
 # Receive or send uevent messages.
 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
 
@@ -35,9 +35,9 @@ neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
 
 # Do not allow untrusted apps to connect to the property service
 # or set properties. b/10243159
-neverallow all_untrusted_apps property_socket:sock_file write;
-neverallow all_untrusted_apps init:unix_stream_socket connectto;
-neverallow all_untrusted_apps property_type:property_service set;
+neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
+neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
+neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
 
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
 # This would undermine the per-user isolation model being
@@ -75,15 +75,15 @@ neverallow all_untrusted_apps *:{
 } *;
 
 # Do not allow untrusted apps access to /cache
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
 
 # Do not allow untrusted apps to create/unlink files outside of its sandbox,
 # internal storage or sdcard.
 # World accessible data locations allow application to fill the device
 # with unaccounted for data. This data will not get removed during
 # application un-installation.
-neverallow all_untrusted_apps {
+neverallow { all_untrusted_apps -mediaprovider } {
   fs_type
   -fuse                     # sdcard
   -sdcardfs                 # sdcard

private/mediaprovider.te

@@ -0,0 +1,35 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+typeattribute mediaprovider coredomain;
+app_domain(mediaprovider)
+
+# DownloadProvider accesses the network.
+net_domain(mediaprovider)
+
+# DownloadProvider uses /cache.
+allow mediaprovider cache_file:dir create_dir_perms;
+allow mediaprovider cache_file:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow mediaprovider cache_file:lnk_file r_file_perms;
+
+allow mediaprovider app_api_service:service_manager find;
+allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider drmserver_service:service_manager find;
+allow mediaprovider mediaserver_service:service_manager find;
+allow mediaprovider surfaceflinger_service:service_manager find;
+
+# Allow MediaProvider to read/write cached ringtones (opened by system).
+allow mediaprovider ringtone_file:file { getattr read write };
+
+# MtpServer uses /dev/mtp_usb
+allow mediaprovider mtp_device:chr_file rw_file_perms;
+
+# MtpServer uses /dev/usb-ffs/mtp
+allow mediaprovider functionfs:dir search;
+allow mediaprovider functionfs:file rw_file_perms;
+
+# MtpServer sets sys.usb.ffs.mtp.ready
+set_prop(mediaprovider, ffs_prop)

private/priv_app.te

@@ -104,20 +104,6 @@ allow priv_app preloads_data_file:dir r_dir_perms;
 allow priv_app preloads_media_file:file r_file_perms;
 allow priv_app preloads_media_file:dir r_dir_perms;
 
-# TODO: revert this as part of fixing 33574909
-# android.process.media uses /dev/mtp_usb
-allow priv_app mtp_device:chr_file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# MtpServer uses /dev/usb-ffs/mtp
-allow priv_app functionfs:dir search;
-allow priv_app functionfs:file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow priv_app mnt_media_rw_file:dir search;
-
 # Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
 allow priv_app keystore:keystore_key gen_unique_id;
 

private/seapp_contexts

@@ -102,6 +102,7 @@ user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
 user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user

public/kernel.te

@@ -50,11 +50,12 @@ allow kernel tmpfs:chr_file write;
 allow kernel selinuxfs:file write;
 allow kernel self:security setcheckreqprot;
 
-# MTP sync (b/15835289)
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel priv_app:fd use;
 allow kernel sdcard_type:file { read write };
 
+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
 # Allow the kernel to read OBB files from app directories. (b/17428116)
 # Kernel thread "loop0" reads a vold supplied file descriptor.
 # Fixes CTS tests:

public/mediaprovider.te

@@ -0,0 +1,6 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+type mediaprovider, domain;