tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/mediaprovider.te
Macpaul Lin 641c5ae99d Add FUNCTIONFS_ENDPOINT_ALLOC to ioctl_defines and mediaprovider.te 
We've got a SELinux warning in kernel-5.10 when "File Transfer" (MTP)
has been enabled by user.

Error log:
avc: denied { ioctl } for  pid=5521 comm="MtpServer" path="/dev/usb-ffs/mtp/ep1" dev="functionfs" ino=102677 ioctlcmd=0x67e7 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=0

Repeat steps:
  1. Connect the phone to PC with USB cable.
  2. Select "File Transfer" (MTP) in "USB Preferences" Menu.
  3. Selinux warning will arise after "File Transfer" has been enabled by user
     due to an IOCTL access to /dev/usb-ffs/mtp/ep1.

Solution:
  To solve this warning, add a sepolicy to allow this type of IOCTL is required.

Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Change-Id: Id340fb98062b3cee239343f3800f6dfceadeb572
Bug: 193473440
2021-07-13 09:33:15 +08:00

49 lines
1.9 KiB
Text
Raw Blame History

###
### A domain for android.process.media, which contains both
### MediaProvider and DownloadProvider and associated services.
###
typeattribute mediaprovider coredomain;
app_domain(mediaprovider)
# DownloadProvider accesses the network.
net_domain(mediaprovider)
# DownloadProvider uses /cache.
allow mediaprovider cache_file:dir create_dir_perms;
allow mediaprovider cache_file:file create_file_perms;
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow mediaprovider cache_file:lnk_file r_file_perms;
# mediaprovider searches through /cache looking for orphans
# Ignore denials to /cache/recovery and /cache/backup.
dontaudit mediaprovider cache_private_backup_file:dir getattr;
dontaudit mediaprovider cache_recovery_file:dir getattr;
# Access external sdcards through /mnt/media_rw
allow mediaprovider { mnt_media_rw_file }:dir search;
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
allow mediaprovider cameraserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaextractor_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
# Allow MediaProvider to read/write cached ringtones (opened by system).
allow mediaprovider ringtone_file:file { getattr read write };
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file rw_file_perms;
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;
allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_ALLOC;
# MtpServer sets sys.usb.ffs.mtp.ready
get_prop(mediaprovider, ffs_config_prop)
set_prop(mediaprovider, ffs_control_prop)
# DownloadManager may retrieve DRM status
get_prop(mediaprovider, drm_service_config_prop)
Reference in a new issue View git blame Copy permalink