From f921dd9cad64bda6433b52b8c99ea8756819ef1b Mon Sep 17 00:00:00 2001
From: Jerry Zhang <zhangjerry@google.com>
Date: Thu, 22 Sep 2016 11:07:50 -0700
Subject: [PATCH] Move MediaProvider to its own domain, add new MtpServer
 permissions

Also move necessary priv_app permissions into MediaProvider domain and
remove MediaProvider specific permissions from priv_app.

The new MtpServer permissions fix the following denials:

avc: denied { write } for comm=6D747020666673206F70656E name="ep0" dev="functionfs" ino=12326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1

denial from setting property sys.usb.ffs.mtp.ready, context priv_app

Bug: 30976142
Test: Manual, verify permissions are allowed
Change-Id: I4e66c5a8b36be21cdb726b5d00c1ec99c54a4aa4
---
 private/mac_permissions.xml |  5 ++++
 private/mediaprovider.te    |  1 +
 private/seapp_contexts      |  1 +
 public/file.te              |  2 +-
 public/mediaprovider.te     | 50 +++++++++++++++++++++++++++++++++++++
 public/priv_app.te          |  7 ------
 6 files changed, 58 insertions(+), 8 deletions(-)
 create mode 100644 private/mediaprovider.te
 create mode 100644 public/mediaprovider.te

diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 87efe0e25..1fcd2a409 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -51,4 +51,9 @@
       <seinfo value="platform" />
     </signer>
 
+    <!-- Media key in AOSP -->
+    <signer signature="@MEDIA" >
+      <seinfo value="media" />
+    </signer>
+
 </policy>
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
new file mode 100644
index 000000000..a0ac0294f
--- /dev/null
+++ b/private/mediaprovider.te
@@ -0,0 +1 @@
+app_domain(mediaprovider)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 6349a97f9..128900180 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -93,6 +93,7 @@ user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=ephemeral_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
diff --git a/public/file.te b/public/file.te
index 80df22d76..66680e67a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -59,7 +59,7 @@ type debugfs, fs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing, fs_type, debugfs_type;
 type pstorefs, fs_type;
-type functionfs, fs_type;
+type functionfs, fs_type, mlstrustedobject;
 type oemfs, fs_type, contextmount_type;
 type usbfs, fs_type;
 type binfmt_miscfs, fs_type;
diff --git a/public/mediaprovider.te b/public/mediaprovider.te
new file mode 100644
index 000000000..f34410bcb
--- /dev/null
+++ b/public/mediaprovider.te
@@ -0,0 +1,50 @@
+type mediaprovider, domain;
+
+# MtpServer uses /dev/mtp_usb
+allow mediaprovider mtp_device:chr_file rw_file_perms;
+
+# MtpServer uses /dev/usb-ffs/mtp
+allow mediaprovider functionfs:dir search;
+allow mediaprovider functionfs:file rw_file_perms;
+
+# MtpServer sets sys.usb.ffs.mtp.ready
+set_prop(mediaprovider, ffs_prop)
+
+allow mediaprovider mediacodec_service:service_manager find;
+allow mediaprovider mediadrmserver_service:service_manager find;
+allow mediaprovider mediaextractor_service:service_manager find;
+allow mediaprovider mediaserver_service:service_manager find;
+allow mediaprovider app_api_service:service_manager find;
+allow mediaprovider system_api_service:service_manager find;
+
+# /sys and /proc access
+r_dir_file(mediaprovider, sysfs_type)
+r_dir_file(mediaprovider, proc)
+r_dir_file(mediaprovider, rootfs)
+
+# Access to /data/preloads
+allow mediaprovider preloads_data_file:file r_file_perms;
+
+###
+### neverallow rules (see corresponding rules in priv_app)
+###
+
+# Receive or send uevent messages.
+neverallow mediaprovider domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow mediaprovider domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow mediaprovider debugfs:file read;
+
+# Only trusted components of Android should be registering
+# services.
+neverallow mediaprovider service_manager_type:service_manager add;
+
+# Do not allow mediaprovider to be assigned mlstrustedsubject.
+neverallow mediaprovider mlstrustedsubject:process fork;
+
+# Do not allow mediaprovider to hard link to any files.
+neverallow mediaprovider file_type:file link;
diff --git a/public/priv_app.te b/public/priv_app.te
index 94d671725..2f2bfab20 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -16,9 +16,6 @@ allow priv_app self:process ptrace;
 allow priv_app app_data_file:file rx_file_perms;
 auditallow priv_app app_data_file:file execute_no_trans;
 
-# android.process.media uses /dev/mtp_usb
-allow priv_app mtp_device:chr_file rw_file_perms;
-
 allow priv_app audioserver_service:service_manager find;
 allow priv_app cameraserver_service:service_manager find;
 allow priv_app drmserver_service:service_manager find;
@@ -34,10 +31,6 @@ allow priv_app system_api_service:service_manager find;
 allow priv_app persistent_data_block_service:service_manager find;
 allow priv_app recovery_service:service_manager find;
 
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow priv_app mnt_media_rw_file:dir search;
-
 # Write to /cache.
 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
 allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
-- 
GitLab