merge in nyc-release history after reset to master
diff --git a/app.te b/app.te
index 70975d9..9f68327 100644
--- a/app.te
+++ b/app.te
@@ -240,6 +240,8 @@
allow appdomain adbd:fd use;
allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow appdomain cache_file:dir getattr;
+
###
### Neverallow rules
###
diff --git a/autoplay_app.te b/autoplay_app.te
index 022c036..f671d5d 100644
--- a/autoplay_app.te
+++ b/autoplay_app.te
@@ -41,10 +41,6 @@
allow autoplay_app autoplay_data_file:dir create_dir_perms;
allow autoplay_app autoplay_data_file:{ file sock_file fifo_file } create_file_perms;
-# For /acct/uid/*/tasks.
-allow autoplay_app cgroup:dir { search write };
-allow autoplay_app cgroup:file w_file_perms;
-
# For art.
allow autoplay_app dalvikcache_data_file:file { execute r_file_perms };
allow autoplay_app dalvikcache_data_file:lnk_file r_file_perms;
diff --git a/bluetooth.te b/bluetooth.te
index 6a329b7..0c42eb5 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -37,6 +37,7 @@
allow bluetooth audioserver_service:service_manager find;
allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth cameraserver_service:service_manager find;
allow bluetooth drmserver_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
diff --git a/cameraserver.te b/cameraserver.te
new file mode 100644
index 0000000..3a5dff3
--- /dev/null
+++ b/cameraserver.te
@@ -0,0 +1,120 @@
+# cameraserver - camera daemon
+type cameraserver, domain, domain_deprecated;
+type cameraserver_exec, exec_type, file_type;
+
+typeattribute cameraserver mlstrustedsubject;
+
+net_domain(cameraserver)
+init_daemon_domain(cameraserver)
+
+r_dir_file(cameraserver, sdcard_type)
+
+binder_use(cameraserver)
+binder_call(cameraserver, binderservicedomain)
+binder_call(cameraserver, appdomain)
+binder_service(cameraserver)
+
+# Required by Widevine DRM (b/22990512)
+allow cameraserver self:process execmem;
+
+allow cameraserver kernel:system module_request;
+allow cameraserver media_data_file:dir create_dir_perms;
+allow cameraserver media_data_file:file create_file_perms;
+allow cameraserver camera_data_file:dir create_dir_perms;
+allow cameraserver camera_data_file:file create_file_perms;
+allow cameraserver app_data_file:dir search;
+allow cameraserver app_data_file:file rw_file_perms;
+allow cameraserver sdcard_type:file write;
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver video_device:dir r_dir_perms;
+allow cameraserver video_device:chr_file rw_file_perms;
+allow cameraserver audio_device:dir r_dir_perms;
+allow cameraserver tee_device:chr_file rw_file_perms;
+
+set_prop(cameraserver, audio_prop)
+
+# Access audio devices at all.
+allow cameraserver audio_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow cameraserver sysfs:file r_file_perms;
+
+# Read resources from open apk files passed over Binder.
+allow cameraserver apk_data_file:file { read getattr };
+allow cameraserver asec_apk_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow cameraserver radio_data_file:file { read getattr };
+
+# Use pipes passed over Binder from app domains.
+allow cameraserver appdomain:fifo_file { getattr read write };
+
+allow cameraserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow cameraserver system_server:fifo_file r_file_perms;
+
+# Camera data
+r_dir_file(cameraserver, camera_data_file)
+r_dir_file(cameraserver, media_rw_data_file)
+
+# Grant access to audio files to cameraserver
+allow cameraserver audio_data_file:dir ra_dir_perms;
+allow cameraserver audio_data_file:file create_file_perms;
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow cameraserver qtaguid_proc:file rw_file_perms;
+allow cameraserver qtaguid_device:chr_file r_file_perms;
+
+# Allow abstract socket connection
+allow cameraserver rild:unix_stream_socket { connectto read write setopt };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(cameraserver, drmserver, drmserver)
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(cameraserver, bluetooth, bluetooth)
+
+# Connect to tee service.
+allow cameraserver tee:unix_stream_socket connectto;
+
+allow cameraserver activity_service:service_manager find;
+allow cameraserver appops_service:service_manager find;
+allow cameraserver audioserver_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver cameraserver_service:service_manager { add find };
+allow cameraserver batterystats_service:service_manager find;
+allow cameraserver drmserver_service:service_manager find;
+allow cameraserver mediaextractor_service:service_manager find;
+allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver permission_service:service_manager find;
+allow cameraserver power_service:service_manager find;
+allow cameraserver processinfo_service:service_manager find;
+allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver surfaceflinger_service:service_manager find;
+
+# /oem access
+allow cameraserver oemfs:dir search;
+allow cameraserver oemfs:file r_file_perms;
+
+use_drmservice(cameraserver)
+allow cameraserver drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
+
+###
+### neverallow rules
+###
+
+# cameraserver should never execute any executable without a
+# domain transition
+neverallow cameraserver { file_type fs_type }:file execute_no_trans;
diff --git a/debuggerd.te b/debuggerd.te
index 576c76f..917c88c 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -22,7 +22,8 @@
# Allow debuggerd to redirect a dump_backtrace request to itself.
# This only happens on 64 bit systems, where all requests go to the 64 bit
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-allow debuggerd { audioserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+
+allow debuggerd { audioserver cameraserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
diff --git a/dumpstate.te b/dumpstate.te
index 667c8fc..f7a84f6 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,9 +48,9 @@
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { audioserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
+allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:process signal;
# Ask debuggerd for the backtraces of these processes.
-allow dumpstate { audioserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file_contexts b/file_contexts
index 0a25389..17979dc 100644
--- a/file_contexts
+++ b/file_contexts
@@ -166,7 +166,9 @@
/system/bin/rild u:object_r:rild_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
+/system/bin/mediacodec u:object_r:mediacodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
diff --git a/healthd.te b/healthd.te
index d09eab4..4f2a2ea 100644
--- a/healthd.te
+++ b/healthd.te
@@ -5,6 +5,9 @@
# Write to /dev/kmsg
allow healthd kmsg_device:chr_file rw_file_perms;
+# Read access to pseudo filesystems.
+r_dir_file(healthd, sysfs)
+
allow healthd self:capability { net_admin sys_tty_config };
wakelock_use(healthd)
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/mediacodec.te b/mediacodec.te
new file mode 100644
index 0000000..7cc7765
--- /dev/null
+++ b/mediacodec.te
@@ -0,0 +1,46 @@
+# mediacodec - multimedia daemon
+type mediacodec, domain, domain_deprecated;
+type mediacodec_exec, exec_type, file_type;
+
+typeattribute mediacodec mlstrustedsubject;
+
+init_daemon_domain(mediacodec)
+
+binder_use(mediacodec)
+binder_call(mediacodec, binderservicedomain)
+binder_call(mediacodec, appdomain)
+binder_service(mediacodec)
+
+allow mediacodec kernel:system module_request;
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec video_device:dir r_dir_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediacodec, drmserver, drmserver)
+
+allow mediacodec drmserver_service:service_manager find;
+allow mediacodec mediacodec_service:service_manager { add find };
+allow mediacodec processinfo_service:service_manager find;
+allow mediacodec surfaceflinger_service:service_manager find;
+
+use_drmservice(mediacodec)
+allow mediacodec drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
+
+###
+### neverallow rules
+###
+
+# mediacodec should never execute any executable without a
+# domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
diff --git a/mediaserver.te b/mediaserver.te
index 8b5b5d5..257c1c2 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -81,10 +81,12 @@
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
allow mediaserver cameraproxy_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
+allow mediaserver mediacodec_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
diff --git a/nfc.te b/nfc.te
index e02c119..87c68a7 100644
--- a/nfc.te
+++ b/nfc.te
@@ -18,9 +18,11 @@
allow nfc sysfs:file write;
allow nfc audioserver_service:service_manager find;
+allow nfc cameraserver_service:service_manager find;
allow nfc drmserver_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
allow nfc mediaextractor_service:service_manager find;
+allow nfc mediacodec_service:service_manager find;
allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
allow nfc surfaceflinger_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index e5cd0a6..3d46f7f 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,9 +39,11 @@
allow platform_app vfat:file create_file_perms;
allow platform_app audioserver_service:service_manager find;
+allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
+allow platform_app mediacodec_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
diff --git a/priv_app.te b/priv_app.te
index d31bf47..9a3d0ac 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -20,15 +20,18 @@
create_pty(priv_app)
allow priv_app audioserver_service:service_manager find;
+allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
+allow priv_app mediacodec_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app surfaceflinger_service:service_manager find;
allow priv_app app_api_service:service_manager find;
allow priv_app system_api_service:service_manager find;
allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app voiceinteraction_service:service_manager find;
# Traverse into /mnt/media_rw for bypassing FUSE daemon
# TODO: narrow this to just MediaProvider
diff --git a/radio.te b/radio.te
index 0da43a6..c4df1f7 100644
--- a/radio.te
+++ b/radio.te
@@ -28,6 +28,7 @@
set_prop(radio, ctl_rildaemon_prop)
allow radio audioserver_service:service_manager find;
+allow radio cameraserver_service:service_manager find;
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio radio_service:service_manager { add find };
diff --git a/recovery.te b/recovery.te
index d2cc90e..afacf40 100644
--- a/recovery.te
+++ b/recovery.te
@@ -48,7 +48,7 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
- access_kmsg(recovery)
+ allow recovery kernel:system syslog_read;
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
diff --git a/sdcardd.te b/sdcardd.te
index 056e9f8..846c59b 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -4,6 +4,7 @@
allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
+allow sdcardd tmpfs:dir r_dir_perms;
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
diff --git a/service.te b/service.te
index 6c284e6..7c771d2 100644
--- a/service.te
+++ b/service.te
@@ -1,5 +1,6 @@
type audioserver_service, service_manager_type;
type bluetooth_service, service_manager_type;
+type cameraserver_service, service_manager_type;
type default_android_service, service_manager_type;
type drmserver_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
@@ -9,6 +10,7 @@
type keystore_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediaextractor_service, service_manager_type;
+type mediacodec_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
@@ -98,7 +100,7 @@
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 58120c0..972718a 100644
--- a/service_contexts
+++ b/service_contexts
@@ -63,11 +63,12 @@
lock_settings u:object_r:lock_settings_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
-media.camera u:object_r:mediaserver_service:s0
+media.camera u:object_r:cameraserver_service:s0
media.camera.proxy u:object_r:cameraproxy_service:s0
media.log u:object_r:audioserver_service:s0
media.player u:object_r:mediaserver_service:s0
media.extractor u:object_r:mediaextractor_service:s0
+media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.radio u:object_r:audioserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 8fb6463..31f7de6 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -54,6 +54,7 @@
# media.player service
allow surfaceflinger audioserver_service:service_manager find;
+allow surfaceflinger cameraserver_service:service_manager find;
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
diff --git a/system_server.te b/system_server.te
index 55c3fff..65be901 100644
--- a/system_server.te
+++ b/system_server.te
@@ -78,6 +78,7 @@
# Set scheduling info for apps.
allow system_server { appdomain autoplay_app }:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
+allow system_server cameraserver:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
@@ -138,12 +139,14 @@
binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { audioserver mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { audioserver cameraserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Read /proc/pid files for dumping stack traces of native processes.
r_dir_file(system_server, audioserver)
+r_dir_file(system_server, cameraserver)
r_dir_file(system_server, mediaserver)
r_dir_file(system_server, mediaextractor)
+r_dir_file(system_server, mediacodec)
r_dir_file(system_server, sdcardd)
r_dir_file(system_server, surfaceflinger)
r_dir_file(system_server, inputflinger)
@@ -151,6 +154,8 @@
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
allow system_server audioserver:udp_socket rw_socket_perms;
+allow system_server cameraserver:tcp_socket rw_socket_perms;
+allow system_server cameraserver:udp_socket rw_socket_perms;
allow system_server mediaserver:tcp_socket rw_socket_perms;
allow system_server mediaserver:udp_socket rw_socket_perms;
@@ -380,6 +385,7 @@
allow system_server sysfs_zram:file r_file_perms;
allow system_server audioserver_service:service_manager find;
+allow system_server cameraserver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server healthd_service:service_manager find;
allow system_server keystore_service:service_manager find;
@@ -387,6 +393,7 @@
allow system_server fingerprintd_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
+allow system_server mediacodec_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
diff --git a/te_macros b/te_macros
index 6d91835..4d18973 100644
--- a/te_macros
+++ b/te_macros
@@ -270,16 +270,6 @@
')
#####################################
-# access_kmsg(domain)
-# Ability to read from kernel logs
-# and execute the klogctl syscall
-# in a non destructive manner. See
-# man 2 klogctl
-define(`access_kmsg', `
-allow $1 kernel:system syslog_read;
-')
-
-#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
diff --git a/untrusted_app.te b/untrusted_app.te
index 333f1f4..33a6171 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -67,10 +67,12 @@
allow untrusted_app servicemanager:service_manager list;
allow untrusted_app audioserver_service:service_manager find;
+allow untrusted_app cameraserver_service:service_manager find;
allow untrusted_app drmserver_service:service_manager find;
allow untrusted_app healthd_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;
allow untrusted_app mediaextractor_service:service_manager find;
+allow untrusted_app mediacodec_service:service_manager find;
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
diff --git a/vold.te b/vold.te
index e16ec73..67e461a 100644
--- a/vold.te
+++ b/vold.te
@@ -8,6 +8,17 @@
domain_auto_trans(vold, sgdisk_exec, sgdisk);
domain_auto_trans(vold, sdcardd_exec, sdcardd);
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(vold, proc)
+r_dir_file(vold, proc_net)
+r_dir_file(vold, sysfs)
+r_dir_file(vold, rootfs)
+
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, shell_exec, blkid);
diff --git a/zygote.te b/zygote.te
index f3a8853..67fd621 100644
--- a/zygote.te
+++ b/zygote.te
@@ -64,6 +64,16 @@
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
+# Read access to pseudo filesystems.
+r_dir_file(zygote, proc_net)
+
+# Root fs.
+allow zygote rootfs:file r_file_perms;
+
+# System file accesses.
+allow zygote system_file:dir r_dir_perms;
+allow zygote system_file:file r_file_perms;
+
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
allow zygote method_trace_data_file:dir w_dir_perms;