Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7da9f80d authored by Zim's avatar Zim Committed by Zimuzo Ezeozue
Browse files

Deprecate WRITE_MEDIA_STORAGE permission 

Previously, this permission would give the holder the media_rw gid
thereby granting access to the following file paths on disk:
1. /data/media
2. /mnt/media_rw
3. /mnt/expand/<uuid>/data/media

With the introduction of a stacked FUSE filesystem on external
storage, modifying any files directly on the lower filesystem (the
paths listed above) could lead to VFS cache inconsistencies and file
corruption.

To mitigate this risk, this cl blocks unneeded access to the lower
filesystem. Apps relying on this permission should instead use
android.permission.MANAGE_EXTERNAL_STORAGE.

Test: cat /proc/<pid>/status of mediaprovider doesn't have media_rw
Bug: 144914977

Change-Id: I8335d18067231657ac9793f7b1dcf6adb617ecfc
parent c6cf3a4d

api/system-current.txt

+1 −2
Original line number Diff line number Diff line
@@ -231,7 +231,7 @@ package android { 
    field public static final String WRITE_DEVICE_CONFIG = "android.permission.WRITE_DEVICE_CONFIG";

    field public static final String WRITE_DREAM_STATE = "android.permission.WRITE_DREAM_STATE";

    field public static final String WRITE_EMBEDDED_SUBSCRIPTIONS = "android.permission.WRITE_EMBEDDED_SUBSCRIPTIONS";

    field public static final String WRITE_MEDIA_STORAGE = "android.permission.WRITE_MEDIA_STORAGE";

    field @Deprecated public static final String WRITE_MEDIA_STORAGE = "android.permission.WRITE_MEDIA_STORAGE";

    field public static final String WRITE_OBB = "android.permission.WRITE_OBB";

  }










@@ -14034,4 +14034,3 @@ package android.webkit {













  }





























}





































api/test-current.txt



+1
−1




























Original line number
Diff line number
Diff line








@@ -19,7 +19,7 @@ package android {













    field public static final String SUSPEND_APPS = "android.permission.SUSPEND_APPS";















    field public static final String TEST_MANAGE_ROLLBACKS = "android.permission.TEST_MANAGE_ROLLBACKS";















    field public static final String WRITE_DEVICE_CONFIG = "android.permission.WRITE_DEVICE_CONFIG";













    field public static final String WRITE_MEDIA_STORAGE = "android.permission.WRITE_MEDIA_STORAGE";













    field @Deprecated public static final String WRITE_MEDIA_STORAGE = "android.permission.WRITE_MEDIA_STORAGE";















    field public static final String WRITE_OBB = "android.permission.WRITE_OBB";















  }

















































core/res/AndroidManifest.xml



+3
−0




























Original line number
Diff line number
Diff line








@@ -2253,6 +2253,9 @@













    <eat-comment />































    <!-- @SystemApi @TestApi Allows an application to write to internal media storage













         @deprecated This permission is no longer honored in the system and no longer adds













         the media_rw gid as a supplementary gid to the holder. Use the













         android.permission.MANAGE_EXTERNAL_STORAGE instead.















         @hide  -->















    <permission android:name="android.permission.WRITE_MEDIA_STORAGE"















        android:protectionLevel="signature|privileged" />

































data/etc/platform.xml



+0
−4




























Original line number
Diff line number
Diff line








@@ -60,10 +60,6 @@













        <group gid="log" />















    </permission>





























    <permission name="android.permission.WRITE_MEDIA_STORAGE" >













        <group gid="media_rw" />













    </permission>





























    <permission name="android.permission.ACCESS_MTP" >















        <group gid="mtp" />















    </permission>