1# mediaserver - multimedia daemon 2type mediaserver, domain; 3type mediaserver_exec, system_file_type, exec_type, file_type; 4type mediaserver_tmpfs, file_type; 5 6typeattribute mediaserver mlstrustedsubject; 7 8net_domain(mediaserver) 9 10r_dir_file(mediaserver, sdcard_type) 11r_dir_file(mediaserver, cgroup) 12 13# stat /proc/self 14allow mediaserver proc:lnk_file getattr; 15 16# open /vendor/lib/mediadrm 17allow mediaserver system_file:dir r_dir_perms; 18 19userdebug_or_eng(` 20 # ptrace to processes in the same domain for memory leak detection 21 allow mediaserver self:process ptrace; 22') 23 24binder_use(mediaserver) 25binder_call(mediaserver, binderservicedomain) 26binder_call(mediaserver, appdomain) 27binder_service(mediaserver) 28 29allow mediaserver media_data_file:dir create_dir_perms; 30allow mediaserver media_data_file:file create_file_perms; 31allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write }; 32allow mediaserver sdcard_type:file write; 33allow mediaserver gpu_device:chr_file rw_file_perms; 34allow mediaserver video_device:dir r_dir_perms; 35allow mediaserver video_device:chr_file rw_file_perms; 36 37set_prop(mediaserver, audio_prop) 38 39# Read resources from open apk files passed over Binder. 40allow mediaserver apk_data_file:file { read getattr }; 41allow mediaserver asec_apk_file:file { read getattr }; 42allow mediaserver ringtone_file:file { read getattr }; 43 44# Read /data/data/com.android.providers.telephony files passed over Binder. 45allow mediaserver radio_data_file:file { read getattr }; 46 47# Use pipes passed over Binder from app domains. 48allow mediaserver appdomain:fifo_file { getattr read write }; 49 50allow mediaserver rpmsg_device:chr_file rw_file_perms; 51 52# Inter System processes communicate over named pipe (FIFO) 53allow mediaserver system_server:fifo_file r_file_perms; 54 55r_dir_file(mediaserver, media_rw_data_file) 56 57# Grant access to read files on appfuse. 58allow mediaserver app_fuse_file:file { read getattr }; 59 60# Needed on some devices for playing DRM protected content, 61# but seems expected and appropriate for all devices. 62unix_socket_connect(mediaserver, drmserver, drmserver) 63 64# Needed on some devices for playing audio on paired BT device, 65# but seems appropriate for all devices. 66unix_socket_connect(mediaserver, bluetooth, bluetooth) 67 68add_service(mediaserver, mediaserver_service) 69allow mediaserver activity_service:service_manager find; 70allow mediaserver appops_service:service_manager find; 71allow mediaserver audio_service:service_manager find; 72allow mediaserver audioserver_service:service_manager find; 73allow mediaserver cameraserver_service:service_manager find; 74allow mediaserver batterystats_service:service_manager find; 75allow mediaserver drmserver_service:service_manager find; 76allow mediaserver mediaextractor_service:service_manager find; 77allow mediaserver mediametrics_service:service_manager find; 78allow mediaserver media_session_service:service_manager find; 79allow mediaserver permission_service:service_manager find; 80allow mediaserver power_service:service_manager find; 81allow mediaserver processinfo_service:service_manager find; 82allow mediaserver scheduling_policy_service:service_manager find; 83allow mediaserver surfaceflinger_service:service_manager find; 84 85# for ModDrm/MediaPlayer 86allow mediaserver mediadrmserver_service:service_manager find; 87 88# For hybrid interfaces 89allow mediaserver hidl_token_hwservice:hwservice_manager find; 90 91# /oem access 92allow mediaserver oemfs:dir search; 93allow mediaserver oemfs:file r_file_perms; 94 95# /vendor apk access 96allow mediaserver vendor_app_file:file { read map getattr }; 97 98use_drmservice(mediaserver) 99allow mediaserver drmserver:drmservice { 100 consumeRights 101 setPlaybackStatus 102 openDecryptSession 103 closeDecryptSession 104 initializeDecryptUnit 105 decrypt 106 finalizeDecryptUnit 107 pread 108}; 109 110# only allow unprivileged socket ioctl commands 111allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } 112 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 113 114# Access to /data/media. 115# This should be removed if sdcardfs is modified to alter the secontext for its 116# accesses to the underlying FS. 117allow mediaserver media_rw_data_file:dir create_dir_perms; 118allow mediaserver media_rw_data_file:file create_file_perms; 119 120# Access to media in /data/preloads 121allow mediaserver preloads_media_file:file { getattr read ioctl }; 122 123allow mediaserver ion_device:chr_file r_file_perms; 124allow mediaserver hal_graphics_allocator:fd use; 125allow mediaserver hal_graphics_composer:fd use; 126allow mediaserver hal_camera:fd use; 127 128allow mediaserver system_server:fd use; 129 130# b/120491318 allow mediaserver to access void:fd 131allow mediaserver vold:fd use; 132 133# overlay package access 134allow mediaserver vendor_overlay_file:file { read getattr map }; 135 136hal_client_domain(mediaserver, hal_allocator) 137 138### 139### neverallow rules 140### 141 142# mediaserver should never execute any executable without a 143# domain transition 144neverallow mediaserver { file_type fs_type }:file execute_no_trans; 145 146# do not allow privileged socket ioctl commands 147neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 148