Skip to content
Snippets Groups Projects
Commit e02e6c03 authored by Andy Hung's avatar Andy Hung Committed by Android (Google) Code Review
Browse files

Merge "Add rules for running audio services in audioserver"

parents 3a0ce49b b03831fe
Branches
Tags
No related merge requests found
# audioserver - audio services daemon
type audioserver, domain, domain_deprecated;
type audioserver_exec, exec_type, file_type;
typeattribute audioserver mlstrustedsubject;
net_domain(audioserver)
init_daemon_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
binder_call(audioserver, { appdomain autoplay_app })
binder_service(audioserver)
# Required by Widevine DRM (b/22990512)
allow audioserver self:process execmem;
allow audioserver kernel:system module_request;
allow audioserver media_data_file:dir create_dir_perms;
allow audioserver media_data_file:file create_file_perms;
allow audioserver app_data_file:dir search;
allow audioserver app_data_file:file rw_file_perms;
allow audioserver sdcard_type:file write;
allow audioserver gpu_device:chr_file rw_file_perms;
allow audioserver video_device:dir r_dir_perms;
allow audioserver video_device:chr_file rw_file_perms;
allow audioserver audio_device:dir r_dir_perms;
allow audioserver tee_device:chr_file rw_file_perms;
set_prop(audioserver, audio_prop)
# Access audio devices at all.
allow audioserver audio_device:chr_file rw_file_perms;
# XXX Label with a specific type?
allow audioserver sysfs:file r_file_perms;
# Read resources from open apk files passed over Binder.
allow audioserver apk_data_file:file { read getattr };
allow audioserver asec_apk_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow audioserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
allow audioserver { appdomain autoplay_app }:fifo_file { getattr read write };
# Access camera device.
allow audioserver camera_device:chr_file rw_file_perms;
allow audioserver rpmsg_device:chr_file rw_file_perms;
# Inter System processes communicate over named pipe (FIFO)
allow audioserver system_server:fifo_file r_file_perms;
# Camera data
r_dir_file(audioserver, camera_data_file)
r_dir_file(audioserver, media_rw_data_file)
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
allow audioserver qtaguid_proc:file rw_file_perms;
allow audioserver qtaguid_device:chr_file r_file_perms;
# Allow abstract socket connection
allow audioserver rild:unix_stream_socket { connectto read write setopt };
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(audioserver, drmserver, drmserver)
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(audioserver, bluetooth, bluetooth)
# Connect to tee service.
allow audioserver tee:unix_stream_socket connectto;
allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver audioserver_service:service_manager { add find };
allow audioserver cameraproxy_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver drmserver_service:service_manager find;
allow audioserver mediaextractor_service:service_manager find;
allow audioserver mediaserver_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver processinfo_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver surfaceflinger_service:service_manager find;
# /oem access
allow audioserver oemfs:dir search;
allow audioserver oemfs:file r_file_perms;
use_drmservice(audioserver)
allow audioserver drmserver:drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
};
###
### neverallow rules
###
# audioserver should never execute any executable without a
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
...@@ -33,6 +33,7 @@ set_prop(bluetooth, bluetooth_prop) ...@@ -33,6 +33,7 @@ set_prop(bluetooth, bluetooth_prop)
set_prop(bluetooth, pan_result_prop) set_prop(bluetooth, pan_result_prop)
set_prop(bluetooth, ctl_dhcp_pan_prop) set_prop(bluetooth, ctl_dhcp_pan_prop)
allow bluetooth audioserver_service:service_manager find;
allow bluetooth bluetooth_service:service_manager find; allow bluetooth bluetooth_service:service_manager find;
allow bluetooth drmserver_service:service_manager find; allow bluetooth drmserver_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find; allow bluetooth mediaserver_service:service_manager find;
......
...@@ -25,7 +25,7 @@ allow debuggerd system_data_file:file open; ...@@ -25,7 +25,7 @@ allow debuggerd system_data_file:file open;
# Allow debuggerd to redirect a dump_backtrace request to itself. # Allow debuggerd to redirect a dump_backtrace request to itself.
# This only happens on 64 bit systems, where all requests go to the 64 bit # This only happens on 64 bit systems, where all requests go to the 64 bit
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit. # debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
allow debuggerd { drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; allow debuggerd { audioserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Connect to system_server via /data/system/ndebugsocket. # Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server) unix_socket_connect(debuggerd, system_ndebug, system_server)
......
...@@ -48,9 +48,9 @@ allow dumpstate { appdomain autoplay_app system_server }:process signal; ...@@ -48,9 +48,9 @@ allow dumpstate { appdomain autoplay_app system_server }:process signal;
# Signal native processes to dump their stack. # Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c # This list comes from native_processes_to_dump in dumpstate/utils.c
allow dumpstate { drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal; allow dumpstate { audioserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
# Ask debuggerd for the backtraces of these processes. # Ask debuggerd for the backtraces of these processes.
allow dumpstate { drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace; allow dumpstate { audioserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Execute and transition to the vdc domain # Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc) domain_auto_trans(dumpstate, vdc_exec, vdc)
......
...@@ -163,6 +163,7 @@ ...@@ -163,6 +163,7 @@
/system/bin/vold u:object_r:vold_exec:s0 /system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0 /system/bin/netd u:object_r:netd_exec:s0
/system/bin/rild u:object_r:rild_exec:s0 /system/bin/rild u:object_r:rild_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0 /system/bin/mediaserver u:object_r:mediaserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0 /system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0 /system/bin/mdnsd u:object_r:mdnsd_exec:s0
......
...@@ -82,6 +82,7 @@ allow mediaserver tee:unix_stream_socket connectto; ...@@ -82,6 +82,7 @@ allow mediaserver tee:unix_stream_socket connectto;
allow mediaserver activity_service:service_manager find; allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find; allow mediaserver appops_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
allow mediaserver cameraproxy_service:service_manager find; allow mediaserver cameraproxy_service:service_manager find;
allow mediaserver batterystats_service:service_manager find; allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find; allow mediaserver drmserver_service:service_manager find;
......
...@@ -17,6 +17,7 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms; ...@@ -17,6 +17,7 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
allow nfc sysfs_nfc_power_writable:file rw_file_perms; allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write; allow nfc sysfs:file write;
allow nfc audioserver_service:service_manager find;
allow nfc drmserver_service:service_manager find; allow nfc drmserver_service:service_manager find;
allow nfc mediaserver_service:service_manager find; allow nfc mediaserver_service:service_manager find;
allow nfc mediaextractor_service:service_manager find; allow nfc mediaextractor_service:service_manager find;
......
...@@ -34,6 +34,7 @@ allow platform_app mnt_media_rw_file:dir r_dir_perms; ...@@ -34,6 +34,7 @@ allow platform_app mnt_media_rw_file:dir r_dir_perms;
allow platform_app vfat:dir create_dir_perms; allow platform_app vfat:dir create_dir_perms;
allow platform_app vfat:file create_file_perms; allow platform_app vfat:file create_file_perms;
allow platform_app audioserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find; allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find; allow platform_app mediaserver_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find; allow platform_app mediaextractor_service:service_manager find;
......
...@@ -19,6 +19,7 @@ allow priv_app mtp_device:chr_file rw_file_perms; ...@@ -19,6 +19,7 @@ allow priv_app mtp_device:chr_file rw_file_perms;
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm # Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
create_pty(priv_app) create_pty(priv_app)
allow priv_app audioserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find; allow priv_app drmserver_service:service_manager find;
allow priv_app mediaserver_service:service_manager find; allow priv_app mediaserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find; allow priv_app mediaextractor_service:service_manager find;
......
...@@ -27,6 +27,7 @@ auditallow radio system_radio_prop:property_service set; ...@@ -27,6 +27,7 @@ auditallow radio system_radio_prop:property_service set;
# ctl interface # ctl interface
set_prop(radio, ctl_rildaemon_prop) set_prop(radio, ctl_rildaemon_prop)
allow radio audioserver_service:service_manager find;
allow radio drmserver_service:service_manager find; allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find; allow radio mediaserver_service:service_manager find;
allow radio radio_service:service_manager { add find }; allow radio radio_service:service_manager { add find };
......
type audioserver_service, service_manager_type;
type bluetooth_service, service_manager_type; type bluetooth_service, service_manager_type;
type default_android_service, service_manager_type; type default_android_service, service_manager_type;
type drmserver_service, service_manager_type; type drmserver_service, service_manager_type;
......
...@@ -60,16 +60,16 @@ jobscheduler u:object_r:jobscheduler_service:s0 ...@@ -60,16 +60,16 @@ jobscheduler u:object_r:jobscheduler_service:s0
launcherapps u:object_r:launcherapps_service:s0 launcherapps u:object_r:launcherapps_service:s0
location u:object_r:location_service:s0 location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0 lock_settings u:object_r:lock_settings_service:s0
media.audio_flinger u:object_r:mediaserver_service:s0 media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:mediaserver_service:s0 media.audio_policy u:object_r:audioserver_service:s0
media.camera u:object_r:mediaserver_service:s0 media.camera u:object_r:mediaserver_service:s0
media.camera.proxy u:object_r:cameraproxy_service:s0 media.camera.proxy u:object_r:cameraproxy_service:s0
media.log u:object_r:mediaserver_service:s0 media.log u:object_r:audioserver_service:s0
media.player u:object_r:mediaserver_service:s0 media.player u:object_r:mediaserver_service:s0
media.extractor u:object_r:mediaextractor_service:s0 media.extractor u:object_r:mediaextractor_service:s0
media.resource_manager u:object_r:mediaserver_service:s0 media.resource_manager u:object_r:mediaserver_service:s0
media.radio u:object_r:mediaserver_service:s0 media.radio u:object_r:audioserver_service:s0
media.sound_trigger_hw u:object_r:mediaserver_service:s0 media.sound_trigger_hw u:object_r:audioserver_service:s0
media_projection u:object_r:media_projection_service:s0 media_projection u:object_r:media_projection_service:s0
media_router u:object_r:media_router_service:s0 media_router u:object_r:media_router_service:s0
media_session u:object_r:media_session_service:s0 media_session u:object_r:media_session_service:s0
......
...@@ -56,6 +56,7 @@ allow surfaceflinger tee_device:chr_file rw_file_perms; ...@@ -56,6 +56,7 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
# media.player service # media.player service
allow surfaceflinger audioserver_service:service_manager find;
allow surfaceflinger mediaserver_service:service_manager find; allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find; allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find; allow surfaceflinger power_service:service_manager find;
......
...@@ -77,6 +77,7 @@ allow system_server { appdomain autoplay_app }:process { sigkill signal }; ...@@ -77,6 +77,7 @@ allow system_server { appdomain autoplay_app }:process { sigkill signal };
# Set scheduling info for apps. # Set scheduling info for apps.
allow system_server { appdomain autoplay_app }:process { getsched setsched }; allow system_server { appdomain autoplay_app }:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched }; allow system_server mediaserver:process { getsched setsched };
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker # Read /proc/pid data for all domains. This is used by ProcessCpuTracker
...@@ -137,9 +138,10 @@ binder_call(system_server, dumpstate) ...@@ -137,9 +138,10 @@ binder_call(system_server, dumpstate)
binder_service(system_server) binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest. # Ask debuggerd to dump backtraces for native stacks of interest.
allow system_server { mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; allow system_server { audioserver mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Read /proc/pid files for dumping stack traces of native processes. # Read /proc/pid files for dumping stack traces of native processes.
r_dir_file(system_server, audioserver)
r_dir_file(system_server, mediaserver) r_dir_file(system_server, mediaserver)
r_dir_file(system_server, mediaextractor) r_dir_file(system_server, mediaextractor)
r_dir_file(system_server, sdcardd) r_dir_file(system_server, sdcardd)
...@@ -147,6 +149,8 @@ r_dir_file(system_server, surfaceflinger) ...@@ -147,6 +149,8 @@ r_dir_file(system_server, surfaceflinger)
r_dir_file(system_server, inputflinger) r_dir_file(system_server, inputflinger)
# Use sockets received over binder from various services. # Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
allow system_server audioserver:udp_socket rw_socket_perms;
allow system_server mediaserver:tcp_socket rw_socket_perms; allow system_server mediaserver:tcp_socket rw_socket_perms;
allow system_server mediaserver:udp_socket rw_socket_perms; allow system_server mediaserver:udp_socket rw_socket_perms;
...@@ -370,6 +374,7 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; ...@@ -370,6 +374,7 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
allow system_server pstorefs:dir r_dir_perms; allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms; allow system_server pstorefs:file r_file_perms;
allow system_server audioserver_service:service_manager find;
allow system_server drmserver_service:service_manager find; allow system_server drmserver_service:service_manager find;
allow system_server healthd_service:service_manager find; allow system_server healthd_service:service_manager find;
allow system_server keystore_service:service_manager find; allow system_server keystore_service:service_manager find;
......
...@@ -77,11 +77,11 @@ allow untrusted_app mnt_media_rw_file:dir search; ...@@ -77,11 +77,11 @@ allow untrusted_app mnt_media_rw_file:dir search;
# allow cts to query all services # allow cts to query all services
allow untrusted_app servicemanager:service_manager list; allow untrusted_app servicemanager:service_manager list;
allow untrusted_app audioserver_service:service_manager find;
allow untrusted_app drmserver_service:service_manager find; allow untrusted_app drmserver_service:service_manager find;
allow untrusted_app healthd_service:service_manager find; allow untrusted_app healthd_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find; allow untrusted_app mediaserver_service:service_manager find;
allow untrusted_app mediaextractor_service:service_manager find; allow untrusted_app mediaextractor_service:service_manager find;
allow untrusted_app mediaextractor_service:service_manager find;
allow untrusted_app nfc_service:service_manager find; allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find; allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find; allow untrusted_app surfaceflinger_service:service_manager find;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment