Split mediaprovider from priv_app.
MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
This commit is contained in:
parent
c493a88edb
commit
c147b592b8
6 changed files with 48 additions and 23 deletions
|
@ -5,7 +5,7 @@
|
||||||
# Only allow domains in AOSP to use the untrusted_app_all attribute.
|
# Only allow domains in AOSP to use the untrusted_app_all attribute.
|
||||||
neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
|
neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
|
||||||
|
|
||||||
define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
|
define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app mediaprovider }')
|
||||||
# Receive or send uevent messages.
|
# Receive or send uevent messages.
|
||||||
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
|
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
|
||||||
|
|
||||||
|
@ -23,9 +23,9 @@ neverallow all_untrusted_apps service_manager_type:service_manager add;
|
||||||
|
|
||||||
# Do not allow untrusted apps to connect to the property service
|
# Do not allow untrusted apps to connect to the property service
|
||||||
# or set properties. b/10243159
|
# or set properties. b/10243159
|
||||||
neverallow all_untrusted_apps property_socket:sock_file write;
|
neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
|
||||||
neverallow all_untrusted_apps init:unix_stream_socket connectto;
|
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
|
||||||
neverallow all_untrusted_apps property_type:property_service set;
|
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
|
||||||
|
|
||||||
# Do not allow untrusted apps to be assigned mlstrustedsubject.
|
# Do not allow untrusted apps to be assigned mlstrustedsubject.
|
||||||
# This would undermine the per-user isolation model being
|
# This would undermine the per-user isolation model being
|
||||||
|
@ -63,15 +63,15 @@ neverallow all_untrusted_apps *:{
|
||||||
} *;
|
} *;
|
||||||
|
|
||||||
# Do not allow untrusted apps access to /cache
|
# Do not allow untrusted apps access to /cache
|
||||||
neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
|
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
|
||||||
neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
|
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
|
||||||
|
|
||||||
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
|
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
|
||||||
# internal storage or sdcard.
|
# internal storage or sdcard.
|
||||||
# World accessible data locations allow application to fill the device
|
# World accessible data locations allow application to fill the device
|
||||||
# with unaccounted for data. This data will not get removed during
|
# with unaccounted for data. This data will not get removed during
|
||||||
# application un-installation.
|
# application un-installation.
|
||||||
neverallow all_untrusted_apps {
|
neverallow { all_untrusted_apps -mediaprovider } {
|
||||||
fs_type
|
fs_type
|
||||||
-fuse # sdcard
|
-fuse # sdcard
|
||||||
-sdcardfs # sdcard
|
-sdcardfs # sdcard
|
||||||
|
|
34
private/mediaprovider.te
Normal file
34
private/mediaprovider.te
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
###
|
||||||
|
### A domain for android.process.media, which contains both
|
||||||
|
### MediaProvider and DownloadProvider and associated services.
|
||||||
|
###
|
||||||
|
|
||||||
|
typeattribute mediaprovider coredomain;
|
||||||
|
app_domain(mediaprovider)
|
||||||
|
|
||||||
|
# DownloadProvider accesses the network.
|
||||||
|
net_domain(mediaprovider)
|
||||||
|
|
||||||
|
# DownloadProvider uses /cache.
|
||||||
|
allow mediaprovider cache_file:dir create_dir_perms;
|
||||||
|
allow mediaprovider cache_file:file create_file_perms;
|
||||||
|
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
|
||||||
|
allow mediaprovider cache_file:lnk_file r_file_perms;
|
||||||
|
|
||||||
|
allow mediaprovider app_api_service:service_manager find;
|
||||||
|
allow mediaprovider audioserver_service:service_manager find;
|
||||||
|
allow mediaprovider mediaserver_service:service_manager find;
|
||||||
|
allow mediaprovider surfaceflinger_service:service_manager find;
|
||||||
|
|
||||||
|
# Allow MediaProvider to read/write cached ringtones (opened by system).
|
||||||
|
allow mediaprovider ringtone_file:file { getattr read write };
|
||||||
|
|
||||||
|
# MtpServer uses /dev/mtp_usb
|
||||||
|
allow mediaprovider mtp_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
|
# MtpServer uses /dev/usb-ffs/mtp
|
||||||
|
allow mediaprovider functionfs:dir search;
|
||||||
|
allow mediaprovider functionfs:file rw_file_perms;
|
||||||
|
|
||||||
|
# MtpServer sets sys.usb.ffs.mtp.ready
|
||||||
|
set_prop(mediaprovider, ffs_prop)
|
|
@ -104,20 +104,6 @@ allow priv_app preloads_data_file:dir r_dir_perms;
|
||||||
allow priv_app preloads_media_file:file r_file_perms;
|
allow priv_app preloads_media_file:file r_file_perms;
|
||||||
allow priv_app preloads_media_file:dir r_dir_perms;
|
allow priv_app preloads_media_file:dir r_dir_perms;
|
||||||
|
|
||||||
# TODO: revert this as part of fixing 33574909
|
|
||||||
# android.process.media uses /dev/mtp_usb
|
|
||||||
allow priv_app mtp_device:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
# TODO: revert this as part of fixing 33574909
|
|
||||||
# MtpServer uses /dev/usb-ffs/mtp
|
|
||||||
allow priv_app functionfs:dir search;
|
|
||||||
allow priv_app functionfs:file rw_file_perms;
|
|
||||||
|
|
||||||
# TODO: revert this as part of fixing 33574909
|
|
||||||
# Traverse into /mnt/media_rw for bypassing FUSE daemon
|
|
||||||
# TODO: narrow this to just MediaProvider
|
|
||||||
allow priv_app mnt_media_rw_file:dir search;
|
|
||||||
|
|
||||||
# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
|
# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
|
||||||
allow priv_app keystore:keystore_key gen_unique_id;
|
allow priv_app keystore:keystore_key gen_unique_id;
|
||||||
|
|
||||||
|
|
|
@ -102,6 +102,7 @@ user=radio seinfo=platform domain=radio type=radio_data_file
|
||||||
user=shared_relro domain=shared_relro
|
user=shared_relro domain=shared_relro
|
||||||
user=shell seinfo=platform domain=shell type=shell_data_file
|
user=shell seinfo=platform domain=shell type=shell_data_file
|
||||||
user=_isolated domain=isolated_app levelFrom=user
|
user=_isolated domain=isolated_app levelFrom=user
|
||||||
|
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
|
||||||
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
||||||
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
|
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
|
||||||
user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
|
user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
|
||||||
|
|
|
@ -50,9 +50,7 @@ allow kernel tmpfs:chr_file write;
|
||||||
allow kernel selinuxfs:file write;
|
allow kernel selinuxfs:file write;
|
||||||
allow kernel self:security setcheckreqprot;
|
allow kernel self:security setcheckreqprot;
|
||||||
|
|
||||||
# MTP sync (b/15835289)
|
|
||||||
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
|
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
|
||||||
allow kernel priv_app:fd use;
|
|
||||||
allow kernel sdcard_type:file { read write };
|
allow kernel sdcard_type:file { read write };
|
||||||
|
|
||||||
# Allow the kernel to read OBB files from app directories. (b/17428116)
|
# Allow the kernel to read OBB files from app directories. (b/17428116)
|
||||||
|
|
6
public/mediaprovider.te
Normal file
6
public/mediaprovider.te
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
###
|
||||||
|
### A domain for android.process.media, which contains both
|
||||||
|
### MediaProvider and DownloadProvider and associated services.
|
||||||
|
###
|
||||||
|
|
||||||
|
type mediaprovider, domain;
|
Loading…
Reference in a new issue