tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/mediaserver.te
Felka Chang 1eb2669218 Fix mediaserver meets the void fd use denied 
scenario: droid.apps.docs: type=1400 audit(0.0:77): avc: denied {
use } for path="/mnt/appfuse/10028_6/9" dev="fuse" ino=9
scontext=u:r:mediaserver:s0 tcontext=u:r:vold:s0 tclass=fd permissive=0

root cause: DocumentsUI provides ArchiveProvider to browse the entries
in archive files by using StorageManager.openProxyFileDescriptor.
i.e. the file descriptor comes from the archive entries is belong to
the void fd.  The file descriptor is used by mediaserver but
mediaserver doesn't have the permission to use the file descriptor.

Fixes: 120491318
Test: build, flash, manual test
Change-Id: Ibaf9a625c7b68c3f1977fcaddd6c7d5419352f93
2019-03-22 22:41:49 +08:00

144 lines
4.9 KiB
Text
Raw Blame History

# mediaserver - multimedia daemon
type mediaserver, domain;
type mediaserver_exec, system_file_type, exec_type, file_type;
type mediaserver_tmpfs, file_type;
typeattribute mediaserver mlstrustedsubject;
net_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
# open /vendor/lib/mediadrm
allow mediaserver system_file:dir r_dir_perms;
userdebug_or_eng(`
# ptrace to processes in the same domain for memory leak detection
allow mediaserver self:process ptrace;
')
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, appdomain)
binder_service(mediaserver)
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
allow mediaserver sdcard_type:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
set_prop(mediaserver, audio_prop)
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
allow mediaserver ringtone_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
allow mediaserver appdomain:fifo_file { getattr read write };
allow mediaserver rpmsg_device:chr_file rw_file_perms;
# Inter System processes communicate over named pipe (FIFO)
allow mediaserver system_server:fifo_file r_file_perms;
r_dir_file(mediaserver, media_rw_data_file)
# Grant access to read files on appfuse.
allow mediaserver app_fuse_file:file { read getattr };
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(mediaserver, drmserver, drmserver)
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(mediaserver, bluetooth, bluetooth)
add_service(mediaserver, mediaserver_service)
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
allow mediaserver cameraserver_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediacodec_service:service_manager find;
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
# For interfacing with OMX HAL
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
# /vendor apk access
allow mediaserver vendor_app_file:file { read map getattr };
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
};
# only allow unprivileged socket ioctl commands
allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow mediaserver media_rw_data_file:dir create_dir_perms;
allow mediaserver media_rw_data_file:file create_file_perms;
# Access to media in /data/preloads
allow mediaserver preloads_media_file:file { getattr read ioctl };
allow mediaserver ion_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
allow mediaserver system_server:fd use;
# b/120491318 allow mediaserver to access void:fd
allow mediaserver vold:fd use;
hal_client_domain(mediaserver, hal_allocator)
###
### neverallow rules
###
# mediaserver should never execute any executable without a
# domain transition
neverallow mediaserver { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
Reference in a new issue View git blame Copy permalink