platform_system_sepolicy/private/mediatuner.te

# mediatuner - mediatuner daemon
type mediatuner, domain;
type mediatuner_exec, system_file_type, exec_type, file_type;

typeattribute mediatuner coredomain;

init_daemon_domain(mediatuner)
hal_client_domain(mediatuner, hal_tv_tuner)

binder_use(mediatuner)
binder_call(mediatuner, appdomain)
binder_service(mediatuner)

add_service(mediatuner, mediatuner_service)
allow mediatuner system_server:fd use;
allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
allow mediatuner package_native_service:service_manager find;
binder_call(mediatuner, system_server)

# Read ro.tuner.lazyhal
get_prop(mediatuner, tuner_config_prop)

# Read tuner.server.enable
get_prop(mediatuner, tuner_server_ctl_prop)

###
### neverallow rules
###

# mediatuner should never execute any executable without a
# domain transition
neverallow mediatuner { file_type fs_type }:file execute_no_trans;

# do not allow privileged socket ioctl commands
neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
SE policy for tuner service. Test: make; acloud; tuner sample input Change-Id: I651632ec7f4ba79d94738c11c343f63510e59aa6 2020-09-12 02:50:45 +02:00			`# mediatuner - mediatuner daemon`
			`type mediatuner, domain;`
			`type mediatuner_exec, system_file_type, exec_type, file_type;`

			`typeattribute mediatuner coredomain;`

			`init_daemon_domain(mediatuner)`
			`hal_client_domain(mediatuner, hal_tv_tuner)`

			`binder_use(mediatuner)`
			`binder_call(mediatuner, appdomain)`
			`binder_service(mediatuner)`

			`add_service(mediatuner, mediatuner_service)`
			`allow mediatuner system_server:fd use;`
Allow TunerService to find and call TunerResourceManager Service Test: atest android.media.tv.tuner.cts Bug: 159067322 Change-Id: I00982a9b7ddc68ea8bf89c7e24b65a00d3d14646 2021-01-21 20:08:37 +01:00			`allow mediatuner tv_tuner_resource_mgr_service:service_manager find;`
Allow TunerService to find and call native Package Manager Service Test: local tested on Cuttlefish Bug: 181350336 Change-Id: If5df4593a17bd0a3b21bb44b54c305f79660c663 2021-03-02 01:48:02 +01:00			`allow mediatuner package_native_service:service_manager find;`
Allow TunerService to find and call TunerResourceManager Service Test: atest android.media.tv.tuner.cts Bug: 159067322 Change-Id: I00982a9b7ddc68ea8bf89c7e24b65a00d3d14646 2021-01-21 20:08:37 +01:00			`binder_call(mediatuner, system_server)`
SE policy for tuner service. Test: make; acloud; tuner sample input Change-Id: I651632ec7f4ba79d94738c11c343f63510e59aa6 2020-09-12 02:50:45 +02:00
Add properties to configure whether the lazy tuner is enabled. ro.tuner.lazyhal: system_vendor_config_prop to decide whether the lazy tuner HAL is enabled. tuner.server.enable: system_internal_prop to decide whether tuner server should be enabled. Bug: 236002754 Test: Check tuner HAL and framework behavior Change-Id: I6a2ebced0e0261f669e7bda466f46556dedca016 2022-08-09 23:57:02 +02:00			`# Read ro.tuner.lazyhal`
			`get_prop(mediatuner, tuner_config_prop)`

Allow mediatuner to get tuner.server.enable Bug: 287520719 Test: start mediatuner Change-Id: I582aac593e2419b6cae37522e6493744fe58240a 2023-06-20 18:07:23 +02:00			`# Read tuner.server.enable`
			`get_prop(mediatuner, tuner_server_ctl_prop)`

SE policy for tuner service. Test: make; acloud; tuner sample input Change-Id: I651632ec7f4ba79d94738c11c343f63510e59aa6 2020-09-12 02:50:45 +02:00			`###`
			`### neverallow rules`
			`###`

			`# mediatuner should never execute any executable without a`
			`# domain transition`
			`neverallow mediatuner { file_type fs_type }:file execute_no_trans;`

			`# do not allow privileged socket ioctl commands`
			`neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;`