blob: c5138a951a0d24ef7be4956e026edb01fd8075b6 [file] [log] [blame]
# mediaextractor - multimedia daemon
type mediaextractor, domain;
type mediaextractor_exec, system_file_type, exec_type, file_type;
type mediaextractor_tmpfs, file_type;
typeattribute mediaextractor mlstrustedsubject;
binder_call(mediaextractor, binderservicedomain)
binder_call(mediaextractor, appdomain)
add_service(mediaextractor, mediaextractor_service)
allow mediaextractor mediametrics_service:service_manager find;
allow mediaextractor hidl_token_hwservice:hwservice_manager find;
allow mediaextractor system_server:fd use;
hal_client_domain(mediaextractor, hal_cas)
hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
allow mediaextractor proc_meminfo:file r_file_perms;
# allow mediaextractor read permissions for file sources
allow mediaextractor sdcard_type:file { getattr read };
allow mediaextractor media_rw_data_file:file { getattr read };
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
# Read resources from open apk files passed over Binder
allow mediaextractor apk_data_file:file { read getattr };
allow mediaextractor asec_apk_file:file { read getattr };
allow mediaextractor ringtone_file:file { read getattr };
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
get_prop(mediaextractor, device_config_media_native_prop)
# Allow extractor to add update service.
allow mediaextractor mediaextractor_update_service:service_manager { find add };
# Allow extractor to load media extractor plugins from update apk.
allow mediaextractor apk_data_file:dir search;
allow mediaextractor apk_data_file:file { execute open };
### neverallow rules
# mediaextractor should never execute any executable without a
# domain transition
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
# mediaextractor should not be opening /data files directly. Any files
# it touches (with a few exceptions) need to be passed to it via a file
# descriptor opened outside the process.
neverallow mediaextractor {
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
}:file open;