2017-02-07 19:47:18 +01:00
|
|
|
# audioserver - audio services daemon
|
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
typeattribute audioserver coredomain;
|
|
|
|
|
2017-02-07 19:47:18 +01:00
|
|
|
type audioserver_exec, exec_type, file_type;
|
2016-07-22 22:13:11 +02:00
|
|
|
init_daemon_domain(audioserver)
|
2017-02-07 19:47:18 +01:00
|
|
|
|
|
|
|
r_dir_file(audioserver, sdcard_type)
|
|
|
|
|
|
|
|
binder_use(audioserver)
|
|
|
|
binder_call(audioserver, binderservicedomain)
|
|
|
|
binder_call(audioserver, appdomain)
|
|
|
|
binder_service(audioserver)
|
|
|
|
|
Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.
This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.
Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.
P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.
Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-21 22:28:53 +01:00
|
|
|
hal_client_domain(audioserver, hal_allocator)
|
2017-04-10 20:40:53 +02:00
|
|
|
# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
|
|
|
|
r_dir_file(audioserver, system_file)
|
|
|
|
|
2017-02-13 23:40:49 +01:00
|
|
|
hal_client_domain(audioserver, hal_audio)
|
2017-02-07 19:47:18 +01:00
|
|
|
|
|
|
|
userdebug_or_eng(`
|
|
|
|
# used for TEE sink - pcm capture for debug.
|
|
|
|
allow audioserver media_data_file:dir create_dir_perms;
|
|
|
|
allow audioserver audioserver_data_file:dir create_dir_perms;
|
|
|
|
allow audioserver audioserver_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# ptrace to processes in the same domain for memory leak detection
|
|
|
|
allow audioserver self:process ptrace;
|
|
|
|
')
|
|
|
|
|
|
|
|
add_service(audioserver, audioserver_service)
|
2018-01-17 06:14:34 +01:00
|
|
|
allow audioserver activity_service:service_manager find;
|
2017-02-07 19:47:18 +01:00
|
|
|
allow audioserver appops_service:service_manager find;
|
|
|
|
allow audioserver batterystats_service:service_manager find;
|
|
|
|
allow audioserver permission_service:service_manager find;
|
|
|
|
allow audioserver power_service:service_manager find;
|
|
|
|
allow audioserver scheduling_policy_service:service_manager find;
|
|
|
|
|
2018-02-01 05:20:08 +01:00
|
|
|
# Allow read/write access to bluetooth-specific properties
|
|
|
|
set_prop(audioserver, bluetooth_prop)
|
2018-02-27 20:43:23 +01:00
|
|
|
|
2017-02-07 19:47:18 +01:00
|
|
|
# Grant access to audio files to audioserver
|
|
|
|
allow audioserver audio_data_file:dir ra_dir_perms;
|
|
|
|
allow audioserver audio_data_file:file create_file_perms;
|
|
|
|
|
2017-04-19 22:21:27 +02:00
|
|
|
# allow access to ALSA MMAP FDs for AAudio API
|
|
|
|
allow audioserver audio_device:chr_file { read write };
|
|
|
|
|
2018-03-20 01:13:48 +01:00
|
|
|
not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
|
|
|
|
not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
|
|
|
|
|
2017-04-28 03:54:52 +02:00
|
|
|
# For A2DP bridge which is loaded directly into audioserver
|
|
|
|
unix_socket_connect(audioserver, bluetooth, bluetooth)
|
|
|
|
|
2018-04-06 23:52:15 +02:00
|
|
|
# Allow shell commands from ADB and shell for CTS testing/dumping
|
2018-01-17 06:14:34 +01:00
|
|
|
allow audioserver adbd:fd use;
|
|
|
|
allow audioserver adbd:unix_stream_socket { read write };
|
2018-04-06 23:52:15 +02:00
|
|
|
allow audioserver shell:fifo_file { read write };
|
2018-01-17 06:14:34 +01:00
|
|
|
|
|
|
|
# Allow shell commands from ADB for CTS testing/dumping
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow audioserver su:fd use;
|
|
|
|
allow audioserver su:fifo_file { read write };
|
|
|
|
allow audioserver su:unix_stream_socket { read write };
|
|
|
|
')
|
|
|
|
|
2017-02-07 19:47:18 +01:00
|
|
|
###
|
|
|
|
### neverallow rules
|
|
|
|
###
|
|
|
|
|
|
|
|
# audioserver should never execute any executable without a
|
|
|
|
# domain transition
|
|
|
|
neverallow audioserver { file_type fs_type }:file execute_no_trans;
|
|
|
|
|
2017-02-16 21:34:51 +01:00
|
|
|
# The goal of the mediaserver split is to place media processing code into
|
|
|
|
# restrictive sandboxes with limited responsibilities and thus limited
|
|
|
|
# permissions. Example: Audioserver is only responsible for controlling audio
|
|
|
|
# hardware and processing audio content. Cameraserver does the same for camera
|
|
|
|
# hardware/content. Etc.
|
|
|
|
#
|
|
|
|
# Media processing code is inherently risky and thus should have limited
|
|
|
|
# permissions and be isolated from the rest of the system and network.
|
|
|
|
# Lengthier explanation here:
|
|
|
|
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
2017-02-07 19:47:18 +01:00
|
|
|
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
|