From 090f4a4d9fce4b672054f0ddd9a487eca8a0e3b6 Mon Sep 17 00:00:00 2001
From: Ray Essick <essick@google.com>
Date: Fri, 2 Dec 2016 11:26:54 -0800
Subject: [PATCH] Allow access to mediaanalytics service

media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.

Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
---
 private/file_contexts     |  1 +
 private/mediaanalytics.te |  3 +++
 private/service_contexts  |  1 +
 public/mediaanalytics.te  | 26 ++++++++++++++++++++++++++
 public/mediacodec.te      |  1 +
 public/mediadrmserver.te  |  1 +
 public/mediaextractor.te  |  1 +
 public/mediaserver.te     |  1 +
 public/service.te         |  1 +
 public/system_server.te   |  2 ++
 10 files changed, 38 insertions(+)
 create mode 100644 private/mediaanalytics.te
 create mode 100644 public/mediaanalytics.te

diff --git a/private/file_contexts b/private/file_contexts
index 1be0eb094..597c9148a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -173,6 +173,7 @@
 /system/bin/audioserver	u:object_r:audioserver_exec:s0
 /system/bin/mediadrmserver	u:object_r:mediadrmserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
+/system/bin/mediaanalytics	u:object_r:mediaanalytics_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
 /system/bin/mediacodec	u:object_r:mediacodec_exec:s0
diff --git a/private/mediaanalytics.te b/private/mediaanalytics.te
new file mode 100644
index 000000000..0092fbe77
--- /dev/null
+++ b/private/mediaanalytics.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediaanalytics)
diff --git a/private/service_contexts b/private/service_contexts
index 5bf2ce36d..9269c2cad 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -75,6 +75,7 @@ media.camera                              u:object_r:cameraserver_service:s0
 media.camera.proxy                        u:object_r:cameraproxy_service:s0
 media.log                                 u:object_r:audioserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
+media.analytics                           u:object_r:mediaanalytics_service:s0
 media.extractor                           u:object_r:mediaextractor_service:s0
 media.codec                               u:object_r:mediacodec_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
diff --git a/public/mediaanalytics.te b/public/mediaanalytics.te
new file mode 100644
index 000000000..ea3f05486
--- /dev/null
+++ b/public/mediaanalytics.te
@@ -0,0 +1,26 @@
+# mediaanalytics - daemon for collecting media analytics data
+type mediaanalytics, domain;
+type mediaanalytics_exec, exec_type, file_type;
+
+
+binder_use(mediaanalytics)
+binder_call(mediaanalytics, binderservicedomain)
+binder_service(mediaanalytics)
+
+allow mediaanalytics mediaanalytics_service:service_manager add;
+
+allow mediaanalytics system_server:fd use;
+
+r_dir_file(mediaanalytics, cgroup)
+allow mediaanalytics proc_meminfo:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# mediaanalytics should never execute any executable without a
+# domain transition
+neverallow mediaanalytics { file_type fs_type }:file execute_no_trans;
+
+# mediaanalytics should never need network access. Disallow network sockets.
+neverallow mediaanalytics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index a1d90a008..1d6f7c165 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -10,6 +10,7 @@ binder_call(mediacodec, appdomain)
 binder_service(mediacodec)
 
 allow mediacodec mediacodec_service:service_manager add;
+allow mediacodec mediaanalytics_service:service_manager find;
 allow mediacodec surfaceflinger_service:service_manager find;
 allow mediacodec gpu_device:chr_file rw_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index ba4fc9bab..b08664f27 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -47,6 +47,7 @@ allow mediadrmserver tee:unix_stream_socket connectto;
 
 allow mediadrmserver mediadrmserver_service:service_manager { add find };
 allow mediadrmserver mediaserver_service:service_manager { add find };
+allow mediadrmserver mediaanalytics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index ec0ce31a7..e5cf27ed1 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -10,6 +10,7 @@ binder_call(mediaextractor, appdomain)
 binder_service(mediaextractor)
 
 allow mediaextractor mediaextractor_service:service_manager add;
+allow mediaextractor mediaanalytics_service:service_manager find;
 
 allow mediaextractor system_server:fd use;
 
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 249f63fbe..2acd6298a 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -87,6 +87,7 @@ allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaextractor_service:service_manager find;
 allow mediaserver mediacodec_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
+allow mediaserver mediaanalytics_service:service_manager find;
 allow mediaserver media_session_service:service_manager find;
 allow mediaserver permission_service:service_manager find;
 allow mediaserver power_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index b3efed57f..6b874359d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -11,6 +11,7 @@ type gpu_service,               service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
 type mediaserver_service,       service_manager_type;
+type mediaanalytics_service,    service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
diff --git a/public/system_server.te b/public/system_server.te
index d6fb0a492..4f7f86902 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -179,6 +179,7 @@ allow system_server {
   mediadrmserver
   mediaextractor
   mediaserver
+  mediaanalytics
   sdcardd
   surfaceflinger
 }:debuggerd dump_backtrace;
@@ -462,6 +463,7 @@ allow system_server keystore_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
+allow system_server mediaanalytics_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
 allow system_server mediadrmserver_service:service_manager find;
-- 
GitLab