ce9c0c5a5f
Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
79 lines
3 KiB
Text
79 lines
3 KiB
Text
# mediaextractor - multimedia daemon
|
|
type mediaextractor, domain;
|
|
type mediaextractor_exec, system_file_type, exec_type, file_type;
|
|
type mediaextractor_tmpfs, file_type;
|
|
|
|
typeattribute mediaextractor mlstrustedsubject;
|
|
|
|
binder_use(mediaextractor)
|
|
binder_call(mediaextractor, binderservicedomain)
|
|
binder_call(mediaextractor, appdomain)
|
|
binder_service(mediaextractor)
|
|
|
|
add_service(mediaextractor, mediaextractor_service)
|
|
allow mediaextractor mediametrics_service:service_manager find;
|
|
allow mediaextractor hidl_token_hwservice:hwservice_manager find;
|
|
|
|
allow mediaextractor system_server:fd use;
|
|
|
|
hal_client_domain(mediaextractor, hal_cas)
|
|
hal_client_domain(mediaextractor, hal_allocator)
|
|
|
|
r_dir_file(mediaextractor, cgroup)
|
|
allow mediaextractor proc_meminfo:file r_file_perms;
|
|
|
|
crash_dump_fallback(mediaextractor)
|
|
|
|
# allow mediaextractor read permissions for file sources
|
|
allow mediaextractor sdcard_type:file { getattr read };
|
|
allow mediaextractor media_rw_data_file:file { getattr read };
|
|
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
|
|
|
|
# Read resources from open apk files passed over Binder
|
|
allow mediaextractor apk_data_file:file { read getattr };
|
|
allow mediaextractor asec_apk_file:file { read getattr };
|
|
allow mediaextractor ringtone_file:file { read getattr };
|
|
|
|
# scan extractor library directory to dynamically load extractors
|
|
allow mediaextractor system_file:dir { read open };
|
|
|
|
get_prop(mediaextractor, device_config_media_native_prop)
|
|
|
|
userdebug_or_eng(`
|
|
# Allow extractor to add update service.
|
|
allow mediaextractor mediaextractor_update_service:service_manager { find add };
|
|
|
|
# Allow extractor to load media extractor plugins from update apk.
|
|
allow mediaextractor apk_data_file:dir search;
|
|
allow mediaextractor apk_data_file:file { execute open };
|
|
')
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# mediaextractor should never execute any executable without a
|
|
# domain transition
|
|
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
|
|
|
|
# The goal of the mediaserver split is to place media processing code into
|
|
# restrictive sandboxes with limited responsibilities and thus limited
|
|
# permissions. Example: Audioserver is only responsible for controlling audio
|
|
# hardware and processing audio content. Cameraserver does the same for camera
|
|
# hardware/content. Etc.
|
|
#
|
|
# Media processing code is inherently risky and thus should have limited
|
|
# permissions and be isolated from the rest of the system and network.
|
|
# Lengthier explanation here:
|
|
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
|
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
|
|
|
|
# mediaextractor should not be opening /data files directly. Any files
|
|
# it touches (with a few exceptions) need to be passed to it via a file
|
|
# descriptor opened outside the process.
|
|
neverallow mediaextractor {
|
|
data_file_type
|
|
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo
|
|
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file open;
|