Create new mediaprovider_app domain.

This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.

Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548

private/app_neverallows.te

@@ -6,6 +6,7 @@ define(`all_untrusted_apps',`{
   ephemeral_app
   isolated_app
   mediaprovider
+  mediaprovider_app
   untrusted_app
   untrusted_app_25
   untrusted_app_27
@@ -145,8 +146,8 @@ neverallow { all_untrusted_apps -mediaprovider } {
   ')
 }:dir_file_class_set { create unlink };
 
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
+# No untrusted component except mediaprovider_app should be touching /dev/fuse
+neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
 
 # Do not allow untrusted apps to directly open the tun_device
 neverallow all_untrusted_apps tun_device:chr_file open;

private/mediaprovider_app.te

@@ -0,0 +1,40 @@
+###
+### A domain for further sandboxing the MediaProvider mainline module.
+###
+type mediaprovider_app, domain, coredomain;
+
+app_domain(mediaprovider_app)
+
+# Access to /mnt/pass_through.
+allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
+
+# Allow MediaProvider to host a FUSE daemon for external storage
+allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
+
+# Allow MediaProvider to read/write media_rw_data_file files and dirs
+allow mediaprovider_app media_rw_data_file:file create_file_perms;
+allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
+
+# Talk to the DRM service
+allow mediaprovider_app drmserver_service:service_manager find;
+
+# Talk to the MediaServer service
+allow mediaprovider_app mediaserver_service:service_manager find;
+
+# Talk to regular app services
+allow mediaprovider_app app_api_service:service_manager find;
+
+# Talk to the GPU service
+binder_call(mediaprovider_app, gpuservice)
+
+# read pipe-max-size configuration
+allow mediaprovider_app proc_pipe_conf:file r_file_perms;
+
+# Allow MediaProvider to set extended attributes (such as quota project ID)
+# on media files.
+allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
+  FS_IOC_FSGETXATTR
+  FS_IOC_FSSETXATTR
+  FS_IOC_GETFLAGS
+  FS_IOC_SETFLAGS
+};

private/priv_app.te

@@ -60,9 +60,6 @@ allow priv_app cache_file:lnk_file r_file_perms;
 allow priv_app media_rw_data_file:dir create_dir_perms;
 allow priv_app media_rw_data_file:file create_file_perms;
 
-# Access to /mnt/pass_through.
-allow priv_app mnt_pass_through_file:dir r_dir_perms;
-
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;

private/seapp_contexts

@@ -158,6 +158,8 @@ user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user