platform_system_sepolicy/private/audioserver.te

# audioserver - audio services daemon

typeattribute audioserver coredomain;

type audioserver_exec, exec_type, file_type;
init_daemon_domain(audioserver)

r_dir_file(audioserver, sdcard_type)

binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
binder_call(audioserver, appdomain)
binder_service(audioserver)

hal_client_domain(audioserver, hal_audio)

allow audioserver system_file:dir r_dir_perms;

userdebug_or_eng(`
  # used for TEE sink - pcm capture for debug.
  allow audioserver media_data_file:dir create_dir_perms;
  allow audioserver audioserver_data_file:dir create_dir_perms;
  allow audioserver audioserver_data_file:file create_file_perms;

  # ptrace to processes in the same domain for memory leak detection
  allow audioserver self:process ptrace;
')

add_service(audioserver, audioserver_service)
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;

# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;

###
### neverallow rules
###

# audioserver should never execute any executable without a
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;

# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
Move audioserver policy to private This leaves only the existence of audioserver domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with audioserver_current except those created by other domains' allow rules referencing audioserver domain from public and vendor policies. Bug: 31364497 Change-Id: I6662394d8318781de6e3b0c125435b66581363af 2017-02-07 19:47:18 +01:00			`# audioserver - audio services daemon`

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute audioserver coredomain;`

Move audioserver policy to private This leaves only the existence of audioserver domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with audioserver_current except those created by other domains' allow rules referencing audioserver domain from public and vendor policies. Bug: 31364497 Change-Id: I6662394d8318781de6e3b0c125435b66581363af 2017-02-07 19:47:18 +01:00			`type audioserver_exec, exec_type, file_type;`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`init_daemon_domain(audioserver)`
Move audioserver policy to private This leaves only the existence of audioserver domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with audioserver_current except those created by other domains' allow rules referencing audioserver domain from public and vendor policies. Bug: 31364497 Change-Id: I6662394d8318781de6e3b0c125435b66581363af 2017-02-07 19:47:18 +01:00
			`r_dir_file(audioserver, sdcard_type)`

			`binder_use(audioserver)`
			`binder_call(audioserver, binderservicedomain)`
			`binder_call(audioserver, appdomain)`
			`binder_service(audioserver)`

Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20 2017-02-13 23:40:49 +01:00			`hal_client_domain(audioserver, hal_audio)`
Move audioserver policy to private This leaves only the existence of audioserver domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with audioserver_current except those created by other domains' allow rules referencing audioserver domain from public and vendor policies. Bug: 31364497 Change-Id: I6662394d8318781de6e3b0c125435b66581363af 2017-02-07 19:47:18 +01:00
			`allow audioserver system_file:dir r_dir_perms;`

			userdebug_or_eng(`
			`# used for TEE sink - pcm capture for debug.`
			`allow audioserver media_data_file:dir create_dir_perms;`
			`allow audioserver audioserver_data_file:dir create_dir_perms;`
			`allow audioserver audioserver_data_file:file create_file_perms;`

			`# ptrace to processes in the same domain for memory leak detection`
			`allow audioserver self:process ptrace;`
			`')`

			`add_service(audioserver, audioserver_service)`
			`allow audioserver appops_service:service_manager find;`
			`allow audioserver batterystats_service:service_manager find;`
			`allow audioserver permission_service:service_manager find;`
			`allow audioserver power_service:service_manager find;`
			`allow audioserver scheduling_policy_service:service_manager find;`

			`# Grant access to audio files to audioserver`
			`allow audioserver audio_data_file:dir ra_dir_perms;`
			`allow audioserver audio_data_file:file create_file_perms;`

			`###`
			`### neverallow rules`
			`###`

			`# audioserver should never execute any executable without a`
			`# domain transition`
			`neverallow audioserver { file_type fs_type }:file execute_no_trans;`

Add documentation on neverallow rules Better document the reasons behind the neverallow for tcp/udp sockets. Test: policy compiles. Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9 2017-02-16 21:34:51 +01:00			`# The goal of the mediaserver split is to place media processing code into`
			`# restrictive sandboxes with limited responsibilities and thus limited`
			`# permissions. Example: Audioserver is only responsible for controlling audio`
			`# hardware and processing audio content. Cameraserver does the same for camera`
			`# hardware/content. Etc.`
			`#`
			`# Media processing code is inherently risky and thus should have limited`
			`# permissions and be isolated from the rest of the system and network.`
			`# Lengthier explanation here:`
			`# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html`
Move audioserver policy to private This leaves only the existence of audioserver domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with audioserver_current except those created by other domains' allow rules referencing audioserver domain from public and vendor policies. Bug: 31364497 Change-Id: I6662394d8318781de6e3b0c125435b66581363af 2017-02-07 19:47:18 +01:00			`neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;`