Mediaextractor should only be operating on data passed directly to it.
It shouldn't be attempting to open /data files on it's own.
Add a neverallow statement (compile time assertion + CTS test) to ensure
this is the case.
Bug: 67454004
Test: policy compiles. No runtime impact.
Change-Id: Ie94d4cb9aece7e72fbd13321f339dcf9d44d5d77
These denials are expected and the code has fallbacks to handle this
case.
Test: policy compiles.
Bug: 67454004
Change-Id: I787625494d0a7c9945318428b6fd3f668a8a2564
Needed to allow lower power Play Music of downloaded files.
05-24 10:12:49.331 24025 24025 W generic : type=1400
audit(0.0:1259): avc: denied { read } for
path="/data/data/com.google.android.music/files/music/925.mp3"
dev="sda35" ino=2179256 scontext=u:r:mediaextractor:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
permissive=0
Test: Play Music
Bug: 62059834
Change-Id: I97bdb1d175dba8f7a8ec6cd9084323cfcd3660bd
Permit mediaextractor its own file source for apk and ringtone files.
Previously we fall back to the mediaserver file source.
This does not affect behavior as the fallback works fine; however,
the log messages may cause confusion.
[73402.683908] type=1400 audit(1491338955.878:121): avc: denied { read }
for pid=18381 comm="generic"
path="/data/system_de/0/ringtones/alarm_alert_cache" dev="sda35"
ino=2490374 scontext=u:r:mediaextractor:s0
tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0
[73402.683932] type=1400 audit(1491338955.884:122): avc: denied { read }
for pid=18383 comm="generic"
path="/data/system_de/0/ringtones/ringtone_cache" dev="sda35"
ino=2490376 scontext=u:r:mediaextractor:s0
tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0
Test: Ringtone and CTS
Bug: 37500781
Change-Id: Ie6d8e6d2b7301d00957733f173aeebbe9d0d1998
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
reflect the change from "mediaanalytics" to "mediametrics"
Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.
Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.
Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
