blob: 52d358142a3bea56919b9bdf386b068407b81f88 [file] [log] [blame]
# mediaserver - multimedia daemon
type mediaserver, domain;
type mediaserver_exec, system_file_type, exec_type, file_type;
type mediaserver_tmpfs, file_type;
typeattribute mediaserver mlstrustedsubject;
net_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
# open /vendor/lib/mediadrm
allow mediaserver system_file:dir r_dir_perms;
userdebug_or_eng(`
# ptrace to processes in the same domain for memory leak detection
allow mediaserver self:process ptrace;
')
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, appdomain)
binder_service(mediaserver)
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
allow mediaserver sdcard_type:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
set_prop(mediaserver, audio_prop)
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
allow mediaserver ringtone_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
allow mediaserver appdomain:fifo_file { getattr read write };
allow mediaserver rpmsg_device:chr_file rw_file_perms;
# Inter System processes communicate over named pipe (FIFO)
allow mediaserver system_server:fifo_file r_file_perms;
r_dir_file(mediaserver, media_rw_data_file)
# Grant access to read files on appfuse.
allow mediaserver app_fuse_file:file { read getattr };
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(mediaserver, drmserver, drmserver)
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(mediaserver, bluetooth, bluetooth)
add_service(mediaserver, mediaserver_service)
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
allow mediaserver audio_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
allow mediaserver cameraserver_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
# /vendor apk access
allow mediaserver vendor_app_file:file { read map getattr };
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
};
# only allow unprivileged socket ioctl commands
allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow mediaserver media_rw_data_file:dir create_dir_perms;
allow mediaserver media_rw_data_file:file create_file_perms;
# Access to media in /data/preloads
allow mediaserver preloads_media_file:file { getattr read ioctl };
allow mediaserver ion_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
allow mediaserver system_server:fd use;
# b/120491318 allow mediaserver to access void:fd
allow mediaserver vold:fd use;
# overlay package access
allow mediaserver vendor_overlay_file:file { read getattr map };
hal_client_domain(mediaserver, hal_allocator)
###
### neverallow rules
###
# mediaserver should never execute any executable without a
# domain transition
neverallow mediaserver { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;