1# mediaserver - multimedia daemon 2type mediaserver, domain; 3type mediaserver_exec, exec_type, file_type; 4 5typeattribute mediaserver mlstrustedsubject; 6 7net_domain(mediaserver) 8init_daemon_domain(mediaserver) 9unix_socket_connect(mediaserver, property, init) 10 11r_dir_file(mediaserver, sdcard_type) 12 13binder_use(mediaserver) 14binder_call(mediaserver, binderservicedomain) 15binder_call(mediaserver, appdomain) 16binder_service(mediaserver) 17 18allow mediaserver self:process execmem; 19allow mediaserver kernel:system module_request; 20allow mediaserver media_data_file:dir create_dir_perms; 21allow mediaserver media_data_file:file create_file_perms; 22allow mediaserver app_data_file:dir search; 23allow mediaserver app_data_file:file rw_file_perms; 24allow mediaserver sdcard_type:file write; 25allow mediaserver gpu_device:chr_file rw_file_perms; 26allow mediaserver video_device:dir r_dir_perms; 27allow mediaserver video_device:chr_file rw_file_perms; 28allow mediaserver audio_device:dir r_dir_perms; 29allow mediaserver tee_device:chr_file rw_file_perms; 30allow mediaserver audio_prop:property_service set; 31 32# Access audio devices at all. 33allow mediaserver audio_device:chr_file rw_file_perms; 34 35# XXX Label with a specific type? 36allow mediaserver sysfs:file rw_file_perms; 37 38# Read resources from open apk files passed over Binder. 39allow mediaserver apk_data_file:file { read getattr }; 40allow mediaserver asec_apk_file:file { read getattr }; 41 42# Read /data/data/com.android.providers.telephony files passed over Binder. 43allow mediaserver radio_data_file:file { read getattr }; 44 45# Use pipes passed over Binder from app domains. 46allow mediaserver appdomain:fifo_file { getattr read write }; 47 48# Access camera device. 49allow mediaserver camera_device:chr_file rw_file_perms; 50allow mediaserver rpmsg_device:chr_file rw_file_perms; 51 52# Inter System processes communicate over named pipe (FIFO) 53allow mediaserver system_server:fifo_file r_file_perms; 54 55# Camera data 56r_dir_file(mediaserver, camera_data_file) 57r_dir_file(mediaserver, media_rw_data_file) 58 59# Grant access to audio files to mediaserver 60allow mediaserver audio_data_file:dir ra_dir_perms; 61allow mediaserver audio_data_file:file create_file_perms; 62 63# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid 64allow mediaserver qtaguid_proc:file rw_file_perms; 65allow mediaserver qtaguid_device:chr_file r_file_perms; 66 67# Allow abstract socket connection 68allow mediaserver rild:unix_stream_socket { connectto read write setopt }; 69 70# Needed on some devices for playing DRM protected content, 71# but seems expected and appropriate for all devices. 72unix_socket_connect(mediaserver, drmserver, drmserver) 73 74# Needed on some devices for playing audio on paired BT device, 75# but seems appropriate for all devices. 76unix_socket_connect(mediaserver, bluetooth, bluetooth) 77 78# Connect to tee service. 79allow mediaserver tee:unix_stream_socket connectto; 80 81allow mediaserver mediaserver_service:service_manager add; 82 83# /oem access 84allow mediaserver oemfs:dir search; 85allow mediaserver oemfs:file r_file_perms; 86