1# mediaserver - multimedia daemon
2type mediaserver, domain;
3type mediaserver_exec, exec_type, file_type;
4
5typeattribute mediaserver mlstrustedsubject;
6
7net_domain(mediaserver)
8init_daemon_domain(mediaserver)
9
10r_dir_file(mediaserver, sdcard_type)
11
12binder_use(mediaserver)
13binder_call(mediaserver, binderservicedomain)
14binder_call(mediaserver, appdomain)
15binder_service(mediaserver)
16
17allow mediaserver self:process execmem;
18allow mediaserver kernel:system module_request;
19allow mediaserver media_data_file:dir create_dir_perms;
20allow mediaserver media_data_file:file create_file_perms;
21allow mediaserver app_data_file:dir search;
22allow mediaserver app_data_file:file rw_file_perms;
23allow mediaserver sdcard_type:file write;
24allow mediaserver gpu_device:chr_file rw_file_perms;
25allow mediaserver video_device:dir r_dir_perms;
26allow mediaserver video_device:chr_file rw_file_perms;
27allow mediaserver audio_device:dir r_dir_perms;
28allow mediaserver tee_device:chr_file rw_file_perms;
29
30set_prop(mediaserver, audio_prop)
31
32# Access audio devices at all.
33allow mediaserver audio_device:chr_file rw_file_perms;
34
35# XXX Label with a specific type?
36allow mediaserver sysfs:file rw_file_perms;
37
38# Read resources from open apk files passed over Binder.
39allow mediaserver apk_data_file:file { read getattr };
40allow mediaserver asec_apk_file:file { read getattr };
41
42# Read /data/data/com.android.providers.telephony files passed over Binder.
43allow mediaserver radio_data_file:file { read getattr };
44
45# Use pipes passed over Binder from app domains.
46allow mediaserver appdomain:fifo_file { getattr read write };
47
48# Access camera device.
49allow mediaserver camera_device:chr_file rw_file_perms;
50allow mediaserver rpmsg_device:chr_file rw_file_perms;
51
52# Inter System processes communicate over named pipe (FIFO)
53allow mediaserver system_server:fifo_file r_file_perms;
54
55# Camera data
56r_dir_file(mediaserver, camera_data_file)
57r_dir_file(mediaserver, media_rw_data_file)
58
59# Grant access to audio files to mediaserver
60allow mediaserver audio_data_file:dir ra_dir_perms;
61allow mediaserver audio_data_file:file create_file_perms;
62
63# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
64allow mediaserver qtaguid_proc:file rw_file_perms;
65allow mediaserver qtaguid_device:chr_file r_file_perms;
66
67# Allow abstract socket connection
68allow mediaserver rild:unix_stream_socket { connectto read write setopt };
69
70# Needed on some devices for playing DRM protected content,
71# but seems expected and appropriate for all devices.
72unix_socket_connect(mediaserver, drmserver, drmserver)
73
74# Needed on some devices for playing audio on paired BT device,
75# but seems appropriate for all devices.
76unix_socket_connect(mediaserver, bluetooth, bluetooth)
77
78# Connect to tee service.
79allow mediaserver tee:unix_stream_socket connectto;
80
81allow mediaserver activity_service:service_manager find;
82allow mediaserver appops_service:service_manager find;
83allow mediaserver cameraproxy_service:service_manager find;
84allow mediaserver batterystats_service:service_manager find;
85allow mediaserver drmserver_service:service_manager find;
86allow mediaserver mediaserver_service:service_manager { add find };
87allow mediaserver permission_service:service_manager find;
88allow mediaserver power_service:service_manager find;
89allow mediaserver processinfo_service:service_manager find;
90allow mediaserver scheduling_policy_service:service_manager find;
91allow mediaserver surfaceflinger_service:service_manager find;
92
93# /oem access
94allow mediaserver oemfs:dir search;
95allow mediaserver oemfs:file r_file_perms;
96
97use_drmservice(mediaserver)
98allow mediaserver drmserver:drmservice {
99    consumeRights
100    setPlaybackStatus
101    openDecryptSession
102    closeDecryptSession
103    initializeDecryptUnit
104    decrypt
105    finalizeDecryptUnit
106    pread
107};
108