tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/audioserver.te
Svet Ganov b9a1e7ba84 Don't record audio if UID is idle - sepolicy 
If a UID is in an idle state we don't allow recording to protect
user's privacy. If the UID is in an idle state we allow recording
but report empty data (all zeros in the byte array) and once
the process goes in an active state we report the real mic data.
This avoids the race between the app being notified aboout its
lifecycle and the audio system being notified about the state
of a UID.

Test: Added - AudioRecordTest#testRecordNoDataForIdleUids
      Passing - cts-tradefed run cts-dev -m CtsMediaTestCases
              -t android.media.cts.AudioRecordTest

bug:63938985

Change-Id: I8c044e588bac4182efcdc08197925fddf593a717
2018-01-16 21:22:18 -08:00

78 lines
2.8 KiB
Text
Raw Blame History

# audioserver - audio services daemon
typeattribute audioserver coredomain;
type audioserver_exec, exec_type, file_type;
init_daemon_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
binder_call(audioserver, appdomain)
binder_service(audioserver)
hal_client_domain(audioserver, hal_allocator)
# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
r_dir_file(audioserver, system_file)
hal_client_domain(audioserver, hal_audio)
userdebug_or_eng(`
# used for TEE sink - pcm capture for debug.
allow audioserver media_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:file create_file_perms;
# ptrace to processes in the same domain for memory leak detection
allow audioserver self:process ptrace;
')
add_service(audioserver, audioserver_service)
allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
# allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_device:chr_file { read write };
# For A2DP bridge which is loaded directly into audioserver
unix_socket_connect(audioserver, bluetooth, bluetooth)
# Allow shell commands from ADB for CTS testing/dumping
allow audioserver adbd:fd use;
allow audioserver adbd:unix_stream_socket { read write };
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
allow audioserver su:fd use;
allow audioserver su:fifo_file { read write };
allow audioserver su:unix_stream_socket { read write };
')
###
### neverallow rules
###
# audioserver should never execute any executable without a
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
Reference in a new issue View git blame Copy permalink