1# mediaserver - multimedia daemon 2type mediaserver, domain; 3type mediaserver_exec, system_file_type, exec_type, file_type; 4type mediaserver_tmpfs, file_type; 5 6typeattribute mediaserver mlstrustedsubject; 7 8net_domain(mediaserver) 9 10r_dir_file(mediaserver, sdcard_type) 11r_dir_file(mediaserver, cgroup) 12 13# stat /proc/self 14allow mediaserver proc:lnk_file getattr; 15 16# open /vendor/lib/mediadrm 17allow mediaserver system_file:dir r_dir_perms; 18 19userdebug_or_eng(` 20 # ptrace to processes in the same domain for memory leak detection 21 allow mediaserver self:process ptrace; 22') 23 24binder_use(mediaserver) 25binder_call(mediaserver, binderservicedomain) 26binder_call(mediaserver, appdomain) 27binder_service(mediaserver) 28 29allow mediaserver media_data_file:dir create_dir_perms; 30allow mediaserver media_data_file:file create_file_perms; 31allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write }; 32allow mediaserver sdcard_type:file write; 33allow mediaserver gpu_device:chr_file rw_file_perms; 34allow mediaserver video_device:dir r_dir_perms; 35allow mediaserver video_device:chr_file rw_file_perms; 36 37set_prop(mediaserver, audio_prop) 38 39# Read resources from open apk files passed over Binder. 40allow mediaserver apk_data_file:file { read getattr }; 41allow mediaserver asec_apk_file:file { read getattr }; 42allow mediaserver ringtone_file:file { read getattr }; 43 44# Read /data/data/com.android.providers.telephony files passed over Binder. 45allow mediaserver radio_data_file:file { read getattr }; 46 47# Use pipes passed over Binder from app domains. 48allow mediaserver appdomain:fifo_file { getattr read write }; 49 50allow mediaserver rpmsg_device:chr_file rw_file_perms; 51 52# Inter System processes communicate over named pipe (FIFO) 53allow mediaserver system_server:fifo_file r_file_perms; 54 55r_dir_file(mediaserver, media_rw_data_file) 56 57# Grant access to read files on appfuse. 58allow mediaserver app_fuse_file:file { read getattr }; 59 60# Needed on some devices for playing DRM protected content, 61# but seems expected and appropriate for all devices. 62unix_socket_connect(mediaserver, drmserver, drmserver) 63 64# Needed on some devices for playing audio on paired BT device, 65# but seems appropriate for all devices. 66unix_socket_connect(mediaserver, bluetooth, bluetooth) 67 68add_service(mediaserver, mediaserver_service) 69allow mediaserver activity_service:service_manager find; 70allow mediaserver appops_service:service_manager find; 71allow mediaserver audio_service:service_manager find; 72allow mediaserver audioserver_service:service_manager find; 73allow mediaserver cameraserver_service:service_manager find; 74allow mediaserver batterystats_service:service_manager find; 75allow mediaserver drmserver_service:service_manager find; 76allow mediaserver mediaextractor_service:service_manager find; 77allow mediaserver mediacodec_service:service_manager find; 78allow mediaserver mediametrics_service:service_manager find; 79allow mediaserver media_session_service:service_manager find; 80allow mediaserver permission_service:service_manager find; 81allow mediaserver power_service:service_manager find; 82allow mediaserver processinfo_service:service_manager find; 83allow mediaserver scheduling_policy_service:service_manager find; 84allow mediaserver surfaceflinger_service:service_manager find; 85 86# for ModDrm/MediaPlayer 87allow mediaserver mediadrmserver_service:service_manager find; 88 89# For hybrid interfaces 90allow mediaserver hidl_token_hwservice:hwservice_manager find; 91 92# /oem access 93allow mediaserver oemfs:dir search; 94allow mediaserver oemfs:file r_file_perms; 95 96# /vendor apk access 97allow mediaserver vendor_app_file:file { read map getattr }; 98 99use_drmservice(mediaserver) 100allow mediaserver drmserver:drmservice { 101 consumeRights 102 setPlaybackStatus 103 openDecryptSession 104 closeDecryptSession 105 initializeDecryptUnit 106 decrypt 107 finalizeDecryptUnit 108 pread 109}; 110 111# only allow unprivileged socket ioctl commands 112allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } 113 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 114 115# Access to /data/media. 116# This should be removed if sdcardfs is modified to alter the secontext for its 117# accesses to the underlying FS. 118allow mediaserver media_rw_data_file:dir create_dir_perms; 119allow mediaserver media_rw_data_file:file create_file_perms; 120 121# Access to media in /data/preloads 122allow mediaserver preloads_media_file:file { getattr read ioctl }; 123 124allow mediaserver ion_device:chr_file r_file_perms; 125allow mediaserver hal_graphics_allocator:fd use; 126allow mediaserver hal_graphics_composer:fd use; 127allow mediaserver hal_camera:fd use; 128 129allow mediaserver system_server:fd use; 130 131# b/120491318 allow mediaserver to access void:fd 132allow mediaserver vold:fd use; 133 134hal_client_domain(mediaserver, hal_allocator) 135 136### 137### neverallow rules 138### 139 140# mediaserver should never execute any executable without a 141# domain transition 142neverallow mediaserver { file_type fs_type }:file execute_no_trans; 143 144# do not allow privileged socket ioctl commands 145neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 146