Merge "Create new mediaprovider_app domain." am: 164359b952 am: c4f463d17e

Change-Id: I878eccd3e3a7e0999f82cd0d48841b7d75b531b4
This commit is contained in:
Automerger Merge Worker 2020-02-05 08:22:25 +00:00
commit 8d8af4cb20
4 changed files with 45 additions and 5 deletions

View file

@ -6,6 +6,7 @@ define(`all_untrusted_apps',`{
ephemeral_app
isolated_app
mediaprovider
mediaprovider_app
untrusted_app
untrusted_app_25
untrusted_app_27
@ -145,8 +146,8 @@ neverallow { all_untrusted_apps -mediaprovider } {
')
}:dir_file_class_set { create unlink };
# No untrusted component should be touching /dev/fuse
neverallow all_untrusted_apps fuse_device:chr_file *;
# No untrusted component except mediaprovider_app should be touching /dev/fuse
neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;

View file

@ -0,0 +1,40 @@
###
### A domain for further sandboxing the MediaProvider mainline module.
###
type mediaprovider_app, domain, coredomain;
app_domain(mediaprovider_app)
# Access to /mnt/pass_through.
allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
# Allow MediaProvider to read/write media_rw_data_file files and dirs
allow mediaprovider_app media_rw_data_file:file create_file_perms;
allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
# Talk to the DRM service
allow mediaprovider_app drmserver_service:service_manager find;
# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
# Allow MediaProvider to set extended attributes (such as quota project ID)
# on media files.
allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
};

View file

@ -60,9 +60,6 @@ allow priv_app cache_file:lnk_file r_file_perms;
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
# Access to /mnt/pass_through.
allow priv_app mnt_pass_through_file:dir r_dir_perms;
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;

View file

@ -158,6 +158,8 @@ user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user