diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 5e47b68db..6470b0ef5 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -5,7 +5,7 @@ # Only allow domains in AOSP to use the untrusted_app_all attribute. neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork; -define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }') +define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app mediaprovider }') # Receive or send uevent messages. neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *; @@ -23,9 +23,9 @@ neverallow all_untrusted_apps service_manager_type:service_manager add; # Do not allow untrusted apps to connect to the property service # or set properties. b/10243159 -neverallow all_untrusted_apps property_socket:sock_file write; -neverallow all_untrusted_apps init:unix_stream_socket connectto; -neverallow all_untrusted_apps property_type:property_service set; +neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write; +neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto; +neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set; # Do not allow untrusted apps to be assigned mlstrustedsubject. # This would undermine the per-user isolation model being @@ -63,15 +63,15 @@ neverallow all_untrusted_apps *:{ } *; # Do not allow untrusted apps access to /cache -neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; -neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr }; +neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; +neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr }; # Do not allow untrusted apps to create/unlink files outside of its sandbox, # internal storage or sdcard. # World accessible data locations allow application to fill the device # with unaccounted for data. This data will not get removed during # application un-installation. -neverallow all_untrusted_apps { +neverallow { all_untrusted_apps -mediaprovider } { fs_type -fuse # sdcard -sdcardfs # sdcard diff --git a/private/mediaprovider.te b/private/mediaprovider.te new file mode 100644 index 000000000..4be640118 --- /dev/null +++ b/private/mediaprovider.te @@ -0,0 +1,34 @@ +### +### A domain for android.process.media, which contains both +### MediaProvider and DownloadProvider and associated services. +### + +typeattribute mediaprovider coredomain; +app_domain(mediaprovider) + +# DownloadProvider accesses the network. +net_domain(mediaprovider) + +# DownloadProvider uses /cache. +allow mediaprovider cache_file:dir create_dir_perms; +allow mediaprovider cache_file:file create_file_perms; +# /cache is a symlink to /data/cache on some devices. Allow reading the link. +allow mediaprovider cache_file:lnk_file r_file_perms; + +allow mediaprovider app_api_service:service_manager find; +allow mediaprovider audioserver_service:service_manager find; +allow mediaprovider mediaserver_service:service_manager find; +allow mediaprovider surfaceflinger_service:service_manager find; + +# Allow MediaProvider to read/write cached ringtones (opened by system). +allow mediaprovider ringtone_file:file { getattr read write }; + +# MtpServer uses /dev/mtp_usb +allow mediaprovider mtp_device:chr_file rw_file_perms; + +# MtpServer uses /dev/usb-ffs/mtp +allow mediaprovider functionfs:dir search; +allow mediaprovider functionfs:file rw_file_perms; + +# MtpServer sets sys.usb.ffs.mtp.ready +set_prop(mediaprovider, ffs_prop) diff --git a/private/priv_app.te b/private/priv_app.te index 4ce142f0c..78cf7b81b 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -104,20 +104,6 @@ allow priv_app preloads_data_file:dir r_dir_perms; allow priv_app preloads_media_file:file r_file_perms; allow priv_app preloads_media_file:dir r_dir_perms; -# TODO: revert this as part of fixing 33574909 -# android.process.media uses /dev/mtp_usb -allow priv_app mtp_device:chr_file rw_file_perms; - -# TODO: revert this as part of fixing 33574909 -# MtpServer uses /dev/usb-ffs/mtp -allow priv_app functionfs:dir search; -allow priv_app functionfs:file rw_file_perms; - -# TODO: revert this as part of fixing 33574909 -# Traverse into /mnt/media_rw for bypassing FUSE daemon -# TODO: narrow this to just MediaProvider -allow priv_app mnt_media_rw_file:dir search; - # Allow privileged apps (e.g. GMS core) to generate unique hardware IDs allow priv_app keystore:keystore_key gen_unique_id; diff --git a/private/seapp_contexts b/private/seapp_contexts index 4356889b5..dc7e3893b 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -102,6 +102,7 @@ user=radio seinfo=platform domain=radio type=radio_data_file user=shared_relro domain=shared_relro user=shell seinfo=platform domain=shell type=shell_data_file user=_isolated domain=isolated_app levelFrom=user +user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user diff --git a/public/kernel.te b/public/kernel.te index 9537c0dfa..8a010a2aa 100644 --- a/public/kernel.te +++ b/public/kernel.te @@ -50,9 +50,7 @@ allow kernel tmpfs:chr_file write; allow kernel selinuxfs:file write; allow kernel self:security setcheckreqprot; -# MTP sync (b/15835289) # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) -allow kernel priv_app:fd use; allow kernel sdcard_type:file { read write }; # Allow the kernel to read OBB files from app directories. (b/17428116) diff --git a/public/mediaprovider.te b/public/mediaprovider.te new file mode 100644 index 000000000..24170a5cf --- /dev/null +++ b/public/mediaprovider.te @@ -0,0 +1,6 @@ +### +### A domain for android.process.media, which contains both +### MediaProvider and DownloadProvider and associated services. +### + +type mediaprovider, domain;