1# audioserver - audio services daemon 2type audioserver, domain; 3type audioserver_exec, exec_type, file_type; 4 5init_daemon_domain(audioserver) 6 7r_dir_file(audioserver, sdcard_type) 8 9binder_use(audioserver) 10binder_call(audioserver, binderservicedomain) 11binder_call(audioserver, { appdomain autoplay_app }) 12binder_service(audioserver) 13 14r_dir_file(audioserver, proc) 15allow audioserver ion_device:chr_file r_file_perms; 16allow audioserver system_file:dir r_dir_perms; 17 18userdebug_or_eng(` 19 # used for TEE sink - pcm capture for debug. 20 allow audioserver media_data_file:dir create_dir_perms; 21 allow audioserver audioserver_data_file:dir create_dir_perms; 22 allow audioserver audioserver_data_file:file create_file_perms; 23 24 # ptrace to processes in the same domain for memory leak detection 25 allow audioserver self:process ptrace; 26') 27 28allow audioserver audio_device:dir r_dir_perms; 29allow audioserver audio_device:chr_file rw_file_perms; 30 31allow audioserver audioserver_service:service_manager { add find }; 32allow audioserver appops_service:service_manager find; 33allow audioserver batterystats_service:service_manager find; 34allow audioserver permission_service:service_manager find; 35allow audioserver power_service:service_manager find; 36allow audioserver scheduling_policy_service:service_manager find; 37 38# Grant access to audio files to audioserver 39allow audioserver audio_data_file:dir ra_dir_perms; 40allow audioserver audio_data_file:file create_file_perms; 41 42# Needed on some devices for playing audio on paired BT device, 43# but seems appropriate for all devices. 44unix_socket_connect(audioserver, bluetooth, bluetooth) 45 46### 47### neverallow rules 48### 49 50# audioserver should never execute any executable without a 51# domain transition 52neverallow audioserver { file_type fs_type }:file execute_no_trans; 53 54# audioserver should never need network access. Disallow network sockets. 55neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *; 56