dd958e5a21
Allow SurfaceFlinger to call into IAllocator, and allow everyone to access IAllocator's fd. Specifically, hwbinder_use(...) for avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 allow ... ion_device:chr_file r_file_perms for avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 allow ... gpu_device:chr_file rw_file_perms; for avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 binder_call(surfaceflinger, ...) for avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1 allow ... ...:fd use for avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1 Bug: 32021161 Test: make bootimage Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13
140 lines
4.8 KiB
Text
140 lines
4.8 KiB
Text
# mediaserver - multimedia daemon
|
|
type mediaserver, domain;
|
|
type mediaserver_exec, exec_type, file_type;
|
|
|
|
typeattribute mediaserver mlstrustedsubject;
|
|
|
|
net_domain(mediaserver)
|
|
|
|
r_dir_file(mediaserver, sdcard_type)
|
|
r_dir_file(mediaserver, cgroup)
|
|
|
|
# stat /proc/self
|
|
allow mediaserver proc:lnk_file getattr;
|
|
|
|
# open /vendor/lib/mediadrm
|
|
allow mediaserver system_file:dir r_dir_perms;
|
|
|
|
userdebug_or_eng(`
|
|
# ptrace to processes in the same domain for memory leak detection
|
|
allow mediaserver self:process ptrace;
|
|
')
|
|
|
|
binder_use(mediaserver)
|
|
binder_call(mediaserver, binderservicedomain)
|
|
binder_call(mediaserver, { appdomain ephemeral_app })
|
|
binder_service(mediaserver)
|
|
|
|
allow mediaserver media_data_file:dir create_dir_perms;
|
|
allow mediaserver media_data_file:file create_file_perms;
|
|
allow mediaserver app_data_file:dir search;
|
|
allow mediaserver app_data_file:file rw_file_perms;
|
|
allow mediaserver sdcard_type:file write;
|
|
allow mediaserver gpu_device:chr_file rw_file_perms;
|
|
allow mediaserver video_device:dir r_dir_perms;
|
|
allow mediaserver video_device:chr_file rw_file_perms;
|
|
|
|
set_prop(mediaserver, audio_prop)
|
|
|
|
# XXX Label with a specific type?
|
|
allow mediaserver sysfs:file r_file_perms;
|
|
|
|
# Read resources from open apk files passed over Binder.
|
|
allow mediaserver apk_data_file:file { read getattr };
|
|
allow mediaserver asec_apk_file:file { read getattr };
|
|
allow mediaserver ringtone_file:file { read getattr };
|
|
|
|
# Read /data/data/com.android.providers.telephony files passed over Binder.
|
|
allow mediaserver radio_data_file:file { read getattr };
|
|
|
|
# Use pipes passed over Binder from app domains.
|
|
allow mediaserver { appdomain ephemeral_app }:fifo_file { getattr read write };
|
|
|
|
allow mediaserver rpmsg_device:chr_file rw_file_perms;
|
|
|
|
# Inter System processes communicate over named pipe (FIFO)
|
|
allow mediaserver system_server:fifo_file r_file_perms;
|
|
|
|
r_dir_file(mediaserver, media_rw_data_file)
|
|
|
|
# Grant access to read files on appfuse.
|
|
allow mediaserver app_fuse_file:file { read getattr };
|
|
|
|
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
|
|
allow mediaserver qtaguid_proc:file rw_file_perms;
|
|
allow mediaserver qtaguid_device:chr_file r_file_perms;
|
|
|
|
# Allow abstract socket connection
|
|
allow mediaserver rild:unix_stream_socket { connectto read write setopt };
|
|
|
|
# Needed on some devices for playing DRM protected content,
|
|
# but seems expected and appropriate for all devices.
|
|
unix_socket_connect(mediaserver, drmserver, drmserver)
|
|
|
|
# Needed on some devices for playing audio on paired BT device,
|
|
# but seems appropriate for all devices.
|
|
unix_socket_connect(mediaserver, bluetooth, bluetooth)
|
|
|
|
# Connect to tee service.
|
|
allow mediaserver tee:unix_stream_socket connectto;
|
|
|
|
allow mediaserver activity_service:service_manager find;
|
|
allow mediaserver appops_service:service_manager find;
|
|
allow mediaserver audioserver_service:service_manager find;
|
|
allow mediaserver cameraserver_service:service_manager find;
|
|
allow mediaserver batterystats_service:service_manager find;
|
|
allow mediaserver drmserver_service:service_manager find;
|
|
allow mediaserver mediaextractor_service:service_manager find;
|
|
allow mediaserver mediacodec_service:service_manager find;
|
|
allow mediaserver mediaserver_service:service_manager { add find };
|
|
allow mediaserver media_session_service:service_manager find;
|
|
allow mediaserver permission_service:service_manager find;
|
|
allow mediaserver power_service:service_manager find;
|
|
allow mediaserver processinfo_service:service_manager find;
|
|
allow mediaserver scheduling_policy_service:service_manager find;
|
|
allow mediaserver surfaceflinger_service:service_manager find;
|
|
|
|
# /oem access
|
|
allow mediaserver oemfs:dir search;
|
|
allow mediaserver oemfs:file r_file_perms;
|
|
|
|
use_drmservice(mediaserver)
|
|
allow mediaserver drmserver:drmservice {
|
|
consumeRights
|
|
setPlaybackStatus
|
|
openDecryptSession
|
|
closeDecryptSession
|
|
initializeDecryptUnit
|
|
decrypt
|
|
finalizeDecryptUnit
|
|
pread
|
|
};
|
|
|
|
# only allow unprivileged socket ioctl commands
|
|
allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
|
|
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
|
|
|
# Access to /data/media.
|
|
# This should be removed if sdcardfs is modified to alter the secontext for its
|
|
# accesses to the underlying FS.
|
|
allow mediaserver media_rw_data_file:dir create_dir_perms;
|
|
allow mediaserver media_rw_data_file:file create_file_perms;
|
|
|
|
# Access to /data/preloads
|
|
allow mediaserver preloads_data_file:file { getattr read ioctl };
|
|
|
|
allow mediaserver ion_device:chr_file r_file_perms;
|
|
allow mediaserver hal_graphics_allocator:fd use;
|
|
|
|
allow mediaserver system_server:fd use;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# mediaserver should never execute any executable without a
|
|
# domain transition
|
|
neverallow mediaserver { file_type fs_type }:file execute_no_trans;
|
|
|
|
# do not allow privileged socket ioctl commands
|
|
neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|