1# mediaextractor - multimedia daemon
2type mediaextractor, domain;
3type mediaextractor_exec, exec_type, file_type;
4
5typeattribute mediaextractor mlstrustedsubject;
6
7binder_use(mediaextractor)
8binder_call(mediaextractor, binderservicedomain)
9binder_call(mediaextractor, appdomain)
10binder_service(mediaextractor)
11
12add_service(mediaextractor, mediaextractor_service)
13allow mediaextractor mediametrics_service:service_manager find;
14allow mediaextractor hidl_token_hwservice:hwservice_manager find;
15
16allow mediaextractor system_server:fd use;
17
18hal_client_domain(mediaextractor, hal_cas)
19
20r_dir_file(mediaextractor, cgroup)
21allow mediaextractor proc_meminfo:file r_file_perms;
22
23crash_dump_fallback(mediaextractor)
24
25# allow mediaextractor read permissions for file sources
26allow mediaextractor sdcardfs:file { getattr read };
27allow mediaextractor media_rw_data_file:file { getattr read };
28allow mediaextractor app_data_file:file { getattr read };
29
30# Read resources from open apk files passed over Binder
31allow mediaextractor apk_data_file:file { read getattr };
32allow mediaextractor asec_apk_file:file { read getattr };
33allow mediaextractor ringtone_file:file { read getattr };
34
35# scan extractor library directory to dynamically load extractors
36allow mediaextractor system_file:dir { read open };
37
38userdebug_or_eng(`
39  # Allow extractor to add update service.
40  add_service(mediaextractor, mediaextractor_update_service)
41
42  # Allow extractor to load media extractor plugins from update apk.
43  allow mediaextractor apk_data_file:dir search;
44  allow mediaextractor apk_data_file:file { execute open };
45')
46
47###
48### neverallow rules
49###
50
51# mediaextractor should never execute any executable without a
52# domain transition
53neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
54
55# The goal of the mediaserver split is to place media processing code into
56# restrictive sandboxes with limited responsibilities and thus limited
57# permissions. Example: Audioserver is only responsible for controlling audio
58# hardware and processing audio content. Cameraserver does the same for camera
59# hardware/content. Etc.
60#
61# Media processing code is inherently risky and thus should have limited
62# permissions and be isolated from the rest of the system and network.
63# Lengthier explanation here:
64# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
65neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
66
67# mediaextractor should not be opening /data files directly. Any files
68# it touches (with a few exceptions) need to be passed to it via a file
69# descriptor opened outside the process.
70neverallow mediaextractor {
71  data_file_type
72  -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
73  userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
74}:file open;
75