1# mediaserver - multimedia daemon 2type mediaserver, domain; 3type mediaserver_exec, exec_type, file_type; 4 5typeattribute mediaserver mlstrustedsubject; 6 7net_domain(mediaserver) 8init_daemon_domain(mediaserver) 9 10r_dir_file(mediaserver, sdcard_type) 11 12binder_use(mediaserver) 13binder_call(mediaserver, binderservicedomain) 14binder_call(mediaserver, appdomain) 15binder_service(mediaserver) 16 17allow mediaserver self:process execmem; 18allow mediaserver kernel:system module_request; 19allow mediaserver media_data_file:dir create_dir_perms; 20allow mediaserver media_data_file:file create_file_perms; 21allow mediaserver app_data_file:dir search; 22allow mediaserver app_data_file:file rw_file_perms; 23allow mediaserver sdcard_type:file write; 24allow mediaserver gpu_device:chr_file rw_file_perms; 25allow mediaserver video_device:dir r_dir_perms; 26allow mediaserver video_device:chr_file rw_file_perms; 27allow mediaserver audio_device:dir r_dir_perms; 28allow mediaserver tee_device:chr_file rw_file_perms; 29 30set_prop(mediaserver, audio_prop) 31 32# Access audio devices at all. 33allow mediaserver audio_device:chr_file rw_file_perms; 34 35# XXX Label with a specific type? 36allow mediaserver sysfs:file rw_file_perms; 37 38# Read resources from open apk files passed over Binder. 39allow mediaserver apk_data_file:file { read getattr }; 40allow mediaserver asec_apk_file:file { read getattr }; 41 42# Read /data/data/com.android.providers.telephony files passed over Binder. 43allow mediaserver radio_data_file:file { read getattr }; 44 45# Use pipes passed over Binder from app domains. 46allow mediaserver appdomain:fifo_file { getattr read write }; 47 48# Access camera device. 49allow mediaserver camera_device:chr_file rw_file_perms; 50allow mediaserver rpmsg_device:chr_file rw_file_perms; 51 52# Inter System processes communicate over named pipe (FIFO) 53allow mediaserver system_server:fifo_file r_file_perms; 54 55# Camera data 56r_dir_file(mediaserver, camera_data_file) 57r_dir_file(mediaserver, media_rw_data_file) 58 59# Grant access to audio files to mediaserver 60allow mediaserver audio_data_file:dir ra_dir_perms; 61allow mediaserver audio_data_file:file create_file_perms; 62 63# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid 64allow mediaserver qtaguid_proc:file rw_file_perms; 65allow mediaserver qtaguid_device:chr_file r_file_perms; 66 67# Allow abstract socket connection 68allow mediaserver rild:unix_stream_socket { connectto read write setopt }; 69 70# Needed on some devices for playing DRM protected content, 71# but seems expected and appropriate for all devices. 72unix_socket_connect(mediaserver, drmserver, drmserver) 73 74# Needed on some devices for playing audio on paired BT device, 75# but seems appropriate for all devices. 76unix_socket_connect(mediaserver, bluetooth, bluetooth) 77 78# Connect to tee service. 79allow mediaserver tee:unix_stream_socket connectto; 80 81allow mediaserver activity_service:service_manager find; 82allow mediaserver appops_service:service_manager find; 83allow mediaserver cameraproxy_service:service_manager find; 84allow mediaserver batterystats_service:service_manager find; 85allow mediaserver drmserver_service:service_manager find; 86allow mediaserver mediaserver_service:service_manager { add find }; 87allow mediaserver permission_service:service_manager find; 88allow mediaserver power_service:service_manager find; 89allow mediaserver processinfo_service:service_manager find; 90allow mediaserver scheduling_policy_service:service_manager find; 91allow mediaserver surfaceflinger_service:service_manager find; 92 93# /oem access 94allow mediaserver oemfs:dir search; 95allow mediaserver oemfs:file r_file_perms; 96 97use_drmservice(mediaserver) 98allow mediaserver drmserver:drmservice { 99 consumeRights 100 setPlaybackStatus 101 openDecryptSession 102 closeDecryptSession 103 initializeDecryptUnit 104 decrypt 105 finalizeDecryptUnit 106 pread 107}; 108