Merge "audioserver: Build up least privileged policy" into nyc-dev

audioserver.te

 # audioserver - audio services daemon
-type audioserver, domain, domain_deprecated;
+type audioserver, domain;
 type audioserver_exec, exec_type, file_type;
 
-typeattribute audioserver mlstrustedsubject;
-
-net_domain(audioserver)
 init_daemon_domain(audioserver)
 
 r_dir_file(audioserver, sdcard_type)
@@ -14,108 +11,33 @@ binder_call(audioserver, binderservicedomain)
 binder_call(audioserver, { appdomain autoplay_app })
 binder_service(audioserver)
 
-# Read access to pseudo filesystems.
 r_dir_file(audioserver, proc)
+allow audioserver ion_device:chr_file r_file_perms;
+allow audioserver system_file:dir r_dir_perms;
 
-# Required by Widevine DRM (b/22990512)
-allow audioserver self:process execmem;
+# used for TEE sink - pcm capture for debug.
+userdebug_or_eng(`
+  allow audioserver media_data_file:dir create_dir_perms;
+')
 
-allow audioserver kernel:system module_request;
-allow audioserver media_data_file:dir create_dir_perms;
-allow audioserver media_data_file:file create_file_perms;
-allow audioserver app_data_file:dir search;
-allow audioserver app_data_file:file rw_file_perms;
-allow audioserver sdcard_type:file write;
-allow audioserver gpu_device:chr_file rw_file_perms;
-allow audioserver video_device:dir r_dir_perms;
-allow audioserver video_device:chr_file rw_file_perms;
 allow audioserver audio_device:dir r_dir_perms;
-allow audioserver tee_device:chr_file rw_file_perms;
-
-set_prop(audioserver, audio_prop)
-
-# Access audio devices at all.
 allow audioserver audio_device:chr_file rw_file_perms;
 
-# XXX Label with a specific type?
-allow audioserver sysfs:file r_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow audioserver apk_data_file:file { read getattr };
-allow audioserver asec_apk_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow audioserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow audioserver { appdomain autoplay_app }:fifo_file { getattr read write };
-
-# Access camera device.
-allow audioserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow audioserver system_server:fifo_file r_file_perms;
-
-# Camera data
-r_dir_file(audioserver, camera_data_file)
-r_dir_file(audioserver, media_rw_data_file)
+allow audioserver audioserver_service:service_manager { add find };
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
 
 # Grant access to audio files to audioserver
 allow audioserver audio_data_file:dir ra_dir_perms;
 allow audioserver audio_data_file:file create_file_perms;
 
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow audioserver qtaguid_proc:file rw_file_perms;
-allow audioserver qtaguid_device:chr_file r_file_perms;
-
-# Allow abstract socket connection
-allow audioserver rild:unix_stream_socket { connectto read write setopt };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(audioserver, drmserver, drmserver)
-
 # Needed on some devices for playing audio on paired BT device,
 # but seems appropriate for all devices.
 unix_socket_connect(audioserver, bluetooth, bluetooth)
 
-# Connect to tee service.
-allow audioserver tee:unix_stream_socket connectto;
-
-allow audioserver activity_service:service_manager find;
-allow audioserver appops_service:service_manager find;
-allow audioserver audioserver_service:service_manager { add find };
-allow audioserver cameraproxy_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver drmserver_service:service_manager find;
-allow audioserver mediaextractor_service:service_manager find;
-allow audioserver mediaserver_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver processinfo_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-allow audioserver surfaceflinger_service:service_manager find;
-
-# /oem access
-allow audioserver oemfs:dir search;
-allow audioserver oemfs:file r_file_perms;
-
-use_drmservice(audioserver)
-allow audioserver drmserver:drmservice {
-    consumeRights
-    setPlaybackStatus
-    openDecryptSession
-    closeDecryptSession
-    initializeDecryptUnit
-    decrypt
-    finalizeDecryptUnit
-    pread
-};
-
-# only allow unprivileged socket ioctl commands
-allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket }
-  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
 ###
 ### neverallow rules
 ###
@@ -124,5 +46,3 @@ allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket }
 # domain transition
 neverallow audioserver { file_type fs_type }:file execute_no_trans;
 
-# do not allow privileged socket ioctl commands
-neverallowxperm audioserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

surfaceflinger.te

@@ -53,7 +53,6 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 
 
 # media.player service
-allow surfaceflinger audioserver_service:service_manager find;
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger permission_service:service_manager find;
 allow surfaceflinger power_service:service_manager find;