08d4c8fa6e
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP policy, but slightly modified so the set of types and attributes is a subset of real 31.0 prebuilt (sc-dev policy). Steps taken to make the fake prebuilt: 1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target aosp_arm64-eng. 2) diff both outputs to find out which types and attributes don't exist. 3) remove all relevant files and statements. As a result, the following types are removed. artd artd_exec artd_service power_stats_service transformer_service virtualizationservice virtualizationservice_data_file virtualizationservice_exec Bug: 189161483 Test: N/A, will do after adding 31.0 mapping files. Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
56 lines
1.7 KiB
Text
56 lines
1.7 KiB
Text
###
|
|
### A domain for further sandboxing the MediaProvider mainline module.
|
|
###
|
|
type mediaprovider_app, domain, coredomain;
|
|
|
|
app_domain(mediaprovider_app)
|
|
|
|
# Access to /mnt/pass_through.
|
|
r_dir_file(mediaprovider_app, mnt_pass_through_file)
|
|
|
|
# Allow MediaProvider to host a FUSE daemon for external storage
|
|
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
|
|
|
|
# Allow MediaProvider to read/write media_rw_data_file files and dirs
|
|
allow mediaprovider_app media_rw_data_file:file create_file_perms;
|
|
allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
|
|
|
|
# Talk to the DRM service
|
|
allow mediaprovider_app drmserver_service:service_manager find;
|
|
|
|
# Talk to the MediaServer service
|
|
allow mediaprovider_app mediaserver_service:service_manager find;
|
|
|
|
# Talk to regular app services
|
|
allow mediaprovider_app app_api_service:service_manager find;
|
|
|
|
# Talk to the GPU service
|
|
binder_call(mediaprovider_app, gpuservice)
|
|
|
|
# Talk to statsd
|
|
allow mediaprovider_app statsmanager_service:service_manager find;
|
|
binder_call(mediaprovider_app, statsd)
|
|
|
|
# read pipe-max-size configuration
|
|
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
|
|
|
|
# Allow MediaProvider to set extended attributes (such as quota project ID)
|
|
# on media files.
|
|
allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
|
|
FS_IOC_FSGETXATTR
|
|
FS_IOC_FSSETXATTR
|
|
FS_IOC_GETFLAGS
|
|
FS_IOC_SETFLAGS
|
|
};
|
|
|
|
# Access external sdcards through /mnt/media_rw
|
|
allow mediaprovider_app { mnt_media_rw_file }:dir search;
|
|
|
|
allow mediaprovider_app proc_filesystems:file r_file_perms;
|
|
|
|
#Allow MediaProvider to see if sdcardfs is in use
|
|
get_prop(mediaprovider_app, storage_config_prop)
|
|
|
|
get_prop(mediaprovider_app, drm_service_config_prop)
|
|
|
|
allow mediaprovider_app gpu_device:dir search;
|