1# mediaserver - multimedia daemon 2type mediaserver, domain; 3type mediaserver_exec, system_file_type, exec_type, file_type; 4type mediaserver_tmpfs, file_type; 5 6typeattribute mediaserver mlstrustedsubject; 7 8net_domain(mediaserver) 9 10r_dir_file(mediaserver, sdcard_type) 11r_dir_file(mediaserver, cgroup) 12r_dir_file(mediaserver, cgroup_v2) 13 14# stat /proc/self 15allow mediaserver proc:lnk_file getattr; 16 17# open /vendor/lib/mediadrm 18allow mediaserver system_file:dir r_dir_perms; 19 20userdebug_or_eng(` 21 # ptrace to processes in the same domain for memory leak detection 22 allow mediaserver self:process ptrace; 23') 24 25binder_use(mediaserver) 26binder_call(mediaserver, binderservicedomain) 27binder_call(mediaserver, appdomain) 28binder_service(mediaserver) 29 30allow mediaserver media_data_file:dir create_dir_perms; 31allow mediaserver media_data_file:file create_file_perms; 32allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write }; 33allow mediaserver sdcard_type:file write; 34allow mediaserver gpu_device:chr_file rw_file_perms; 35allow mediaserver video_device:dir r_dir_perms; 36allow mediaserver video_device:chr_file rw_file_perms; 37 38# Read resources from open apk files passed over Binder. 39allow mediaserver apk_data_file:file { read getattr }; 40allow mediaserver asec_apk_file:file { read getattr }; 41allow mediaserver ringtone_file:file { read getattr }; 42 43# Read /data/data/com.android.providers.telephony files passed over Binder. 44allow mediaserver radio_data_file:file { read getattr }; 45 46# Use pipes passed over Binder from app domains. 47allow mediaserver appdomain:fifo_file { getattr read write }; 48 49allow mediaserver rpmsg_device:chr_file rw_file_perms; 50 51# Inter System processes communicate over named pipe (FIFO) 52allow mediaserver system_server:fifo_file r_file_perms; 53 54r_dir_file(mediaserver, media_rw_data_file) 55 56# Grant access to read files on appfuse. 57allow mediaserver app_fuse_file:file { read getattr }; 58 59# Needed on some devices for playing DRM protected content, 60# but seems expected and appropriate for all devices. 61unix_socket_connect(mediaserver, drmserver, drmserver) 62 63# Needed on some devices for playing audio on paired BT device, 64# but seems appropriate for all devices. 65unix_socket_connect(mediaserver, bluetooth, bluetooth) 66 67add_service(mediaserver, mediaserver_service) 68allow mediaserver activity_service:service_manager find; 69allow mediaserver appops_service:service_manager find; 70allow mediaserver audio_service:service_manager find; 71allow mediaserver audioserver_service:service_manager find; 72allow mediaserver cameraserver_service:service_manager find; 73allow mediaserver batterystats_service:service_manager find; 74allow mediaserver drmserver_service:service_manager find; 75allow mediaserver mediaextractor_service:service_manager find; 76allow mediaserver mediametrics_service:service_manager find; 77allow mediaserver media_session_service:service_manager find; 78allow mediaserver permission_service:service_manager find; 79allow mediaserver permission_checker_service:service_manager find; 80allow mediaserver power_service:service_manager find; 81allow mediaserver processinfo_service:service_manager find; 82allow mediaserver scheduling_policy_service:service_manager find; 83allow mediaserver surfaceflinger_service:service_manager find; 84 85# for ModDrm/MediaPlayer 86allow mediaserver mediadrmserver_service:service_manager find; 87 88# For hybrid interfaces 89allow mediaserver hidl_token_hwservice:hwservice_manager find; 90 91# /oem access 92allow mediaserver oemfs:dir search; 93allow mediaserver oemfs:file r_file_perms; 94 95# /vendor apk access 96allow mediaserver vendor_app_file:file { read map getattr }; 97 98use_drmservice(mediaserver) 99allow mediaserver drmserver:drmservice { 100 consumeRights 101 setPlaybackStatus 102 openDecryptSession 103 closeDecryptSession 104 initializeDecryptUnit 105 decrypt 106 finalizeDecryptUnit 107 pread 108}; 109 110# only allow unprivileged socket ioctl commands 111allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } 112 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 113 114# Access to /data/media. 115# This should be removed if sdcardfs is modified to alter the secontext for its 116# accesses to the underlying FS. 117allow mediaserver media_rw_data_file:dir create_dir_perms; 118allow mediaserver media_rw_data_file:file create_file_perms; 119 120# Access to media in /data/preloads 121allow mediaserver preloads_media_file:file { getattr read ioctl }; 122 123allow mediaserver ion_device:chr_file r_file_perms; 124allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms; 125allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms; 126allow mediaserver hal_graphics_allocator:fd use; 127allow mediaserver hal_graphics_composer:fd use; 128allow mediaserver hal_camera:fd use; 129 130allow mediaserver system_server:fd use; 131 132# b/120491318 allow mediaserver to access void:fd 133allow mediaserver vold:fd use; 134 135# overlay package access 136allow mediaserver vendor_overlay_file:file { read getattr map }; 137 138hal_client_domain(mediaserver, hal_allocator) 139 140### 141### neverallow rules 142### 143 144# mediaserver should never execute any executable without a 145# domain transition 146neverallow mediaserver { file_type fs_type }:file execute_no_trans; 147 148# do not allow privileged socket ioctl commands 149neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 150