From 1134bd001e51f0fb43bae24b32d03a3067bb5acc Mon Sep 17 00:00:00 2001
From: Dongwon Kang <dwkang@google.com>
Date: Mon, 6 Nov 2017 11:19:07 -0800
Subject: [PATCH] Allow mediaextractor to load libraries from apk_data_file

This is an experimental feature only on userdebug and eng build.

Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474
---
 private/app_neverallows.te          |  3 +++
 private/compat/26.0/26.0.ignore.cil |  1 +
 private/service_contexts            |  1 +
 private/system_server.te            |  5 +++++
 public/domain.te                    |  1 +
 public/mediaextractor.te            | 10 ++++++++++
 public/service.te                   |  1 +
 7 files changed, 22 insertions(+)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 05ef5ed32..cf9d0d366 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -243,3 +243,6 @@ full_treble_only(`
     -untrusted_app_visible_halserver
   }:binder { call transfer };
 ')
+
+# Untrusted apps are not allowed to find mediaextractor update service.
+neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f6889aec7..3a906e91f 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -52,6 +52,7 @@
     lowpan_device
     lowpan_prop
     lowpan_service
+    mediaextractor_update_service
     mediaprovider_tmpfs
     netd_stable_secret_prop
     network_watchlist_data_file
diff --git a/private/service_contexts b/private/service_contexts
index c1ea51a92..373c7cca0 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -88,6 +88,7 @@ media.log                                 u:object_r:audioserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
 media.metrics                             u:object_r:mediametrics_service:s0
 media.extractor                           u:object_r:mediaextractor_service:s0
+media.extractor.update                    u:object_r:mediaextractor_update_service:s0
 media.codec                               u:object_r:mediacodec_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 035e8f158..6ebcab5e1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -746,6 +746,11 @@ allow system_server netd:bpf { map_read map_write };
 allow system_server user_profile_data_file:dir { search };
 allow system_server user_profile_data_file:file { getattr open read };
 
+userdebug_or_eng(`
+  # Allow system server to notify mediaextractor of the plugin update.
+  allow system_server mediaextractor_update_service:service_manager find;
+')
+
 ###
 ### Neverallow rules
 ###
diff --git a/public/domain.te b/public/domain.te
index 6a3d270eb..5879e26bb 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -416,6 +416,7 @@ neverallow {
     userdebug_or_eng(`-su')
     -webview_zygote
     -zygote
+    userdebug_or_eng(`-mediaextractor')
 } {
     file_type
     -system_file
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 8ba89138d..44387fd47 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -37,6 +37,15 @@ allow mediaextractor ringtone_file:file { read getattr };
 # scan extractor library directory to dynamically load extractors
 allow mediaextractor system_file:dir { read open };
 
+userdebug_or_eng(`
+  # Allow extractor to add update service.
+  add_service(mediaextractor, mediaextractor_update_service)
+
+  # Allow extractor to load media extractor plugins from update apk.
+  allow mediaextractor apk_data_file:dir search;
+  allow mediaextractor apk_data_file:file { execute open };
+')
+
 ###
 ### neverallow rules
 ###
@@ -63,4 +72,5 @@ neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
 neverallow mediaextractor {
   data_file_type
   -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+  userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
 }:file open;
diff --git a/public/service.te b/public/service.te
index 44c3ef6ca..6f9d47c2b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -16,6 +16,7 @@ type keystore_service,          service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediametrics_service,      service_manager_type;
 type mediaextractor_service,    service_manager_type;
+type mediaextractor_update_service, service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
 type netd_service,              service_manager_type;
-- 
GitLab