| typeattribute mediaextractor coredomain; |
| |
| init_daemon_domain(mediaextractor) |
| tmpfs_domain(mediaextractor) |
| allow mediaextractor appdomain_tmpfs:file { getattr map read write }; |
| allow mediaextractor mediaserver_tmpfs:file { getattr map read write }; |
| allow mediaextractor system_server_tmpfs:file { getattr map read write }; |
| |
| get_prop(mediaextractor, device_config_media_native_prop) |
| get_prop(mediaextractor, device_config_swcodec_native_prop) |
| |
| typeattribute mediaextractor mlstrustedsubject; |
| |
| binder_use(mediaextractor) |
| binder_call(mediaextractor, binderservicedomain) |
| binder_call(mediaextractor, appdomain) |
| binder_service(mediaextractor) |
| |
| add_service(mediaextractor, mediaextractor_service) |
| allow mediaextractor mediametrics_service:service_manager find; |
| allow mediaextractor hidl_token_hwservice:hwservice_manager find; |
| |
| allow mediaextractor system_server:fd use; |
| |
| hal_client_domain(mediaextractor, hal_cas) |
| hal_client_domain(mediaextractor, hal_allocator) |
| |
| r_dir_file(mediaextractor, cgroup) |
| r_dir_file(mediaextractor, cgroup_v2) |
| allow mediaextractor proc_meminfo:file r_file_perms; |
| |
| crash_dump_fallback(mediaextractor) |
| |
| # allow mediaextractor read permissions for file sources |
| allow mediaextractor { sdcard_type fuse }:file { getattr read }; |
| allow mediaextractor media_rw_data_file:file { getattr read }; |
| allow mediaextractor { app_data_file privapp_data_file }:file { getattr read }; |
| |
| # Read resources from open apk files passed over Binder |
| allow mediaextractor apk_data_file:file { read getattr }; |
| allow mediaextractor asec_apk_file:file { read getattr }; |
| allow mediaextractor ringtone_file:file { read getattr }; |
| |
| # overlay package access |
| allow mediaextractor vendor_overlay_file:file { read map }; |
| |
| # scan extractor library directory to dynamically load extractors |
| allow mediaextractor system_file:dir { read open }; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # mediaextractor should never execute any executable without a |
| # domain transition |
| neverallow mediaextractor { file_type fs_type }:file execute_no_trans; |
| |
| # The goal of the mediaserver split is to place media processing code into |
| # restrictive sandboxes with limited responsibilities and thus limited |
| # permissions. Example: Audioserver is only responsible for controlling audio |
| # hardware and processing audio content. Cameraserver does the same for camera |
| # hardware/content. Etc. |
| # |
| # Media processing code is inherently risky and thus should have limited |
| # permissions and be isolated from the rest of the system and network. |
| # Lengthier explanation here: |
| # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html |
| neverallow mediaextractor domain:{ udp_socket rawip_socket } *; |
| neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *; |
| |
| # mediaextractor should not be opening /data files directly. Any files |
| # it touches (with a few exceptions) need to be passed to it via a file |
| # descriptor opened outside the process. |
| neverallow mediaextractor { |
| data_file_type |
| userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins |
| with_native_coverage(`-method_trace_data_file') |
| }:file open; |
