platform_system_sepolicy/private/audioserver.te

86 lines
3.1 KiB
Text
Raw Normal View History

# audioserver - audio services daemon
typeattribute audioserver coredomain;
type audioserver_exec, exec_type, file_type;
init_daemon_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
binder_call(audioserver, appdomain)
binder_service(audioserver)
hal_client_domain(audioserver, hal_allocator)
# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
r_dir_file(audioserver, system_file)
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-13 23:40:49 +01:00
hal_client_domain(audioserver, hal_audio)
userdebug_or_eng(`
# used for TEE sink - pcm capture for debug.
allow audioserver media_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:file create_file_perms;
# ptrace to processes in the same domain for memory leak detection
allow audioserver self:process ptrace;
')
add_service(audioserver, audioserver_service)
allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_prop)
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
# allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_device:chr_file { read write };
not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
# For A2DP bridge which is loaded directly into audioserver
unix_socket_connect(audioserver, bluetooth, bluetooth)
# Allow shell commands from ADB and shell for CTS testing/dumping
allow audioserver adbd:fd use;
allow audioserver adbd:unix_stream_socket { read write };
allow audioserver shell:fifo_file { read write };
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
allow audioserver su:fd use;
allow audioserver su:fifo_file { read write };
allow audioserver su:unix_stream_socket { read write };
')
###
### neverallow rules
###
# audioserver should never execute any executable without a
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;