Allow access to mediaanalytics service

media framework analytics are gathered in a separate service. define a context for this new service, allow various media-related services and libraries to access this new service. Bug: 30267133 Test: ran media CTS, watched for selinux denials. Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
2016-12-02 11:26:54 -08:00 · 2016-12-02 11:26:54 -08:00 · 090f4a4d9f
commit 090f4a4d9f
parent 17c675b327
10 changed files with 38 additions and 0 deletions
--- a/private/file_contexts
+++ b/private/file_contexts
@ -173,6 +173,7 @@
 /system/bin/audioserver	u:object_r:audioserver_exec:s0
 /system/bin/mediadrmserver	u:object_r:mediadrmserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
 /system/bin/mediaanalytics	u:object_r:mediaanalytics_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
 /system/bin/mediacodec	u:object_r:mediacodec_exec:s0
--- a/private/mediaanalytics.te
+++ b/private/mediaanalytics.te
@ -0,0 +1,3 @@
 # type_transition must be private policy the domain_trans rules could stay
 # public, but conceptually should go with this
 init_daemon_domain(mediaanalytics)
--- a/private/service_contexts
+++ b/private/service_contexts
@ -75,6 +75,7 @@ media.camera                              u:object_r:cameraserver_service:s0
 media.camera.proxy                        u:object_r:cameraproxy_service:s0
 media.log                                 u:object_r:audioserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
 media.analytics                           u:object_r:mediaanalytics_service:s0
 media.extractor                           u:object_r:mediaextractor_service:s0
 media.codec                               u:object_r:mediacodec_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
--- a/public/mediaanalytics.te
+++ b/public/mediaanalytics.te
@ -0,0 +1,26 @@
 # mediaanalytics - daemon for collecting media analytics data
 type mediaanalytics, domain;
 type mediaanalytics_exec, exec_type, file_type;
 binder_use(mediaanalytics)
 binder_call(mediaanalytics, binderservicedomain)
 binder_service(mediaanalytics)
 allow mediaanalytics mediaanalytics_service:service_manager add;
 allow mediaanalytics system_server:fd use;
 r_dir_file(mediaanalytics, cgroup)
 allow mediaanalytics proc_meminfo:file r_file_perms;
 ###
 ### neverallow rules
 ###
 # mediaanalytics should never execute any executable without a
 # domain transition
 neverallow mediaanalytics { file_type fs_type }:file execute_no_trans;
 # mediaanalytics should never need network access. Disallow network sockets.
 neverallow mediaanalytics domain:{ tcp_socket udp_socket rawip_socket } *;
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@ -10,6 +10,7 @@ binder_call(mediacodec, appdomain)
 binder_service(mediacodec)
 allow mediacodec mediacodec_service:service_manager add;
 allow mediacodec mediaanalytics_service:service_manager find;
 allow mediacodec surfaceflinger_service:service_manager find;
 allow mediacodec gpu_device:chr_file rw_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@ -47,6 +47,7 @@ allow mediadrmserver tee:unix_stream_socket connectto;
 allow mediadrmserver mediadrmserver_service:service_manager { add find };
 allow mediadrmserver mediaserver_service:service_manager { add find };
 allow mediadrmserver mediaanalytics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@ -10,6 +10,7 @@ binder_call(mediaextractor, appdomain)
 binder_service(mediaextractor)
 allow mediaextractor mediaextractor_service:service_manager add;
 allow mediaextractor mediaanalytics_service:service_manager find;
 allow mediaextractor system_server:fd use;
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@ -87,6 +87,7 @@ allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaextractor_service:service_manager find;
 allow mediaserver mediacodec_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
 allow mediaserver mediaanalytics_service:service_manager find;
 allow mediaserver media_session_service:service_manager find;
 allow mediaserver permission_service:service_manager find;
 allow mediaserver power_service:service_manager find;
--- a/public/service.te
+++ b/public/service.te
@ -11,6 +11,7 @@ type gpu_service,               service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediaanalytics_service,    service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
--- a/public/system_server.te
+++ b/public/system_server.te
@ -179,6 +179,7 @@ allow system_server {
  mediadrmserver
  mediaextractor
  mediaserver
  mediaanalytics
  sdcardd
  surfaceflinger
 }:debuggerd dump_backtrace;
@ -462,6 +463,7 @@ allow system_server keystore_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediaanalytics_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
 allow system_server mediadrmserver_service:service_manager find;