8510d31ed3
Use more general type names for the contents of /data/misc/camera and /data/misc/audio. These were the names used in our policy until 4.3 was released, at which point we switched to be consistent with AOSP. However, the Galaxy S4 4.2.2 image, Galaxy S4 4.3 image, and Galaxy Note 3 4.3 image all shipped with policies using _data_file names because they were based on our older policy. So we may as well switch AOSP to these names. Not sure if in fact these could be all coalesced to the new media_data_file type for /data/misc/media introduced by Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343. Options to fix already existing devices, which would only apply to Nexus devices with 4.3 or 4.4 at this point: 1) Add restorecon_recursive /data/misc/audio /data/misc/camera to either the system/core init.rc or to the device-specific init.*.rc files. -or- 2) Add a typealias declaration in the policy to remap the old type names. to the new ones. Then existing types on persistent storage will be remapped internally to the new ones. -or- 3) Some sort of relabeld. Option #2 is implemented by this change. Change-Id: Id36203f5bb66b5200efc1205630b5b260ef97496 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
63 lines
2.2 KiB
Text
63 lines
2.2 KiB
Text
# mediaserver - multimedia daemon
|
|
type mediaserver, domain;
|
|
permissive mediaserver;
|
|
type mediaserver_exec, exec_type, file_type;
|
|
|
|
typeattribute mediaserver mlstrustedsubject;
|
|
|
|
net_domain(mediaserver)
|
|
init_daemon_domain(mediaserver)
|
|
unix_socket_connect(mediaserver, property, init)
|
|
|
|
r_dir_file(mediaserver, sdcard_type)
|
|
|
|
binder_use(mediaserver)
|
|
binder_call(mediaserver, binderservicedomain)
|
|
binder_call(mediaserver, appdomain)
|
|
binder_service(mediaserver)
|
|
|
|
allow mediaserver self:process execmem;
|
|
allow mediaserver kernel:system module_request;
|
|
allow mediaserver media_data_file:dir rw_dir_perms;
|
|
allow mediaserver media_data_file:file create_file_perms;
|
|
allow mediaserver app_data_file:dir search;
|
|
allow mediaserver app_data_file:file rw_file_perms;
|
|
allow mediaserver platform_app_data_file:file { getattr read };
|
|
allow mediaserver sdcard_type:file write;
|
|
allow mediaserver graphics_device:chr_file rw_file_perms;
|
|
allow mediaserver video_device:chr_file rw_file_perms;
|
|
allow mediaserver audio_device:dir r_dir_perms;
|
|
allow mediaserver qemu_device:chr_file rw_file_perms;
|
|
allow mediaserver tee_device:chr_file rw_file_perms;
|
|
allow mediaserver audio_prop:property_service set;
|
|
|
|
# Access audio devices at all.
|
|
allow mediaserver audio_device:chr_file rw_file_perms;
|
|
|
|
# XXX Label with a specific type?
|
|
allow mediaserver sysfs:file rw_file_perms;
|
|
|
|
# XXX Why?
|
|
allow mediaserver { apk_data_file asec_apk_file }:file { read getattr };
|
|
|
|
# Access camera device.
|
|
allow mediaserver camera_device:chr_file rw_file_perms;
|
|
allow mediaserver rpmsg_device:chr_file rw_file_perms;
|
|
|
|
# Inter System processes communicate over named pipe (FIFO)
|
|
allow mediaserver system_server:fifo_file r_file_perms;
|
|
|
|
# Camera data
|
|
allow mediaserver camera_data_file:dir r_dir_perms;
|
|
allow mediaserver camera_data_file:file r_file_perms;
|
|
|
|
# Grant access to audio files to mediaserver
|
|
allow mediaserver audio_data_file:dir ra_dir_perms;
|
|
allow mediaserver audio_data_file:file create_file_perms;
|
|
|
|
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
|
|
allow mediaserver qtaguid_proc:file rw_file_perms;
|
|
allow mediaserver qtaguid_device:chr_file r_file_perms;
|
|
|
|
# Allow abstract socket connection
|
|
allow mediaserver rild:unix_stream_socket { connectto read write setopt };
|