I've been experimenting with the Content Provider MAC using a resolver app
installed as "untrusted_app" and a Content Provider installed as "release_app".
The device content_permissions.xml file entries are shown below that were
added as a BOARD_SEPOLICY_UNION in the device BoardConfig.mk file.
The problem is that when setTypes() is called by the PM the
"demo_resolver_package" type entry was never selected. This is because the
code in ContentSecurityManager.java selected the first match on the signature.
The attached patch will now check if the package the PM is processing has a
matching "package value=" entry in the package types and if found process
these first.
I'm not sure if this is the best way but does at least work (note if the
content_permissions.xml file entries shown below are added at the beginning
of the external/sepolicy/content_permissions.xml, then they would be found
without the patch, simply because the sigs match first).
content_permissions.xml file entries:
<policy>
<!-- Resolver Package Type -->
<type name="demo_resolver_package" component="package">
<package value="com.example.resolvecontentdemo" />
<permission value="com.example.contentprovider1.READ" />
<permission value="com.example.contentprovider1.WRITE" />
</type>
<!-- Provider Content Type -->
<type name="demo_provider">
<package value="com.example.contentprovider1" />
<signature value="@RELEASE"/>
<provider value="com.example.contentprovider1.contentproviderdemo"/>
<export-read value="normal" />
<export-write value="dangerous" />
</type>
<allow-content>
<allow source="demo_resolver_package" destination="demo_provider"
permission="use;rw"/>
<allow source="demo_resolver_package" destination="settings_provider"
permission="use;r"/>
</allow-content>
</policy>
Richard
--- a/ContentSecurityManager.java 2013-06-24 16:19:51.327748901 +0100
+++ b/ContentSecurityManager.java 2013-06-27 18:48:39.000000000 +0100
@@ -219,12 +219,27 @@
return;
}
- // Assign type to package as a whole
+ // Need to find if there is a matching package as this takes precedence
+ // If found then use this to check if okay.
+ int pkgCount = 0;
for (PackageType type : mPackageTypes) {
- if (type.isSatisfied(pkg)) {
- pkg.applicationInfo.cpMac = type.mTypeName;
- Slog.d(TAG, pkg.packageName + " assigned cpMAC=" + type.mTypeName);
- break;
+ if (pkg.packageName.equals(type.mPackageName)) {
+ pkgCount++;
+ if (type.isSatisfied(pkg)) {
+ pkg.applicationInfo.cpMac = type.mTypeName;
+ Slog.d(TAG, "Matched pkg=" + type.mPackageName + " assigned cpMAC=" + type.mTypeName);
+ break;
+ }
+ }
+ }
+ // If no matching package, then do as original code
+ if (pkgCount == 0) {
+ for (PackageType type : mPackageTypes) {
+ if (type.isSatisfied(pkg)) {
+ pkg.applicationInfo.cpMac = type.mTypeName;
+ Slog.d(TAG, pkg.packageName + " No pkg - assigned cpMAC=" + type.mTypeName);
+ break;
+ }
}
}
