From 496ac000f680d5a7c216d293ae69ffc9a01176e5 Mon Sep 17 00:00:00 2001 From: Martijn Coenen Date: Wed, 8 Jan 2020 14:55:53 +0100 Subject: Only allow Download authority/MTP/installers to write in Android/. Previously when FUSE was enabled, we gave all apps requesting WRITE_MEDIA_STORAGE or install permissions a direct view to the lower filesystem. This was way too broad for a few reasons: 1) WRITE_MEDIA_STORAGE will be deprecated; holding that permission by itself shouldn't grant you any special privileges. 2) Installers should only be able to write OBBs The only other exceptions that are allowed to bypass scoped storage are the process hosting the DownloadProvider and the process implementing the MTP server; both of these have legit reasons for writing in Android/. The way this is currently implemented is by giving these apps the SDCARD_RW gid, which has write access in the default Android/ sdcardfs view. Installers will be further scoped down to be only able to access OBB in a follow-up CL. Bug: 134706060 Bug: 146490513 Test: DownloadProvider can download Play + OBBs work Writing in Android/ through MTP works Change-Id: Iff8681732d0c1124e24e5347f7dcb64b781c1e8c --- core/java/android/os/Process.java | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'core/java/android/os/Process.java') diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java index 94623bc71346..3ef86ed9f994 100644 --- a/core/java/android/os/Process.java +++ b/core/java/android/os/Process.java @@ -88,6 +88,12 @@ public class Process { @UnsupportedAppUsage public static final int DRM_UID = 1019; + /** + * Defines the GID for the group that allows write access to the internal media storage. + * @hide + */ + public static final int SDCARD_RW_GID = 1015; + /** * Defines the UID/GID for the group that controls VPN services. * @hide -- cgit v1.2.3