android_system_sepolicy/mediaserver.te

# mediaserver - multimedia daemon
type mediaserver, domain;
type mediaserver_exec, exec_type, file_type;

typeattribute mediaserver mlstrustedsubject;

net_domain(mediaserver)
init_daemon_domain(mediaserver)

r_dir_file(mediaserver, sdcard_type)

binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, appdomain)
binder_service(mediaserver)

# Required by Widevine DRM (b/22990512)
allow mediaserver self:process execmem;

allow mediaserver kernel:system module_request;
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
allow mediaserver app_data_file:dir search;
allow mediaserver app_data_file:file rw_file_perms;
allow mediaserver sdcard_type:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
allow mediaserver audio_device:dir r_dir_perms;
allow mediaserver tee_device:chr_file rw_file_perms;

set_prop(mediaserver, audio_prop)

# Access audio devices at all.
allow mediaserver audio_device:chr_file rw_file_perms;

# XXX Label with a specific type?
allow mediaserver sysfs:file r_file_perms;

# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };

# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };

# Use pipes passed over Binder from app domains.
allow mediaserver appdomain:fifo_file { getattr read write };

# Access camera device.
allow mediaserver camera_device:chr_file rw_file_perms;
allow mediaserver rpmsg_device:chr_file rw_file_perms;

# Inter System processes communicate over named pipe (FIFO)
allow mediaserver system_server:fifo_file r_file_perms;

# Camera data
r_dir_file(mediaserver, camera_data_file)
r_dir_file(mediaserver, media_rw_data_file)

# Grant access to audio files to mediaserver
allow mediaserver audio_data_file:dir ra_dir_perms;
allow mediaserver audio_data_file:file create_file_perms;

# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;

# Allow abstract socket connection
allow mediaserver rild:unix_stream_socket { connectto read write setopt };

# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(mediaserver, drmserver, drmserver)

# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(mediaserver, bluetooth, bluetooth)

# Connect to tee service.
allow mediaserver tee:unix_stream_socket connectto;

allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
allow mediaserver cameraproxy_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;

# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;

use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
    consumeRights
    setPlaybackStatus
    openDecryptSession
    closeDecryptSession
    initializeDecryptUnit
    decrypt
    finalizeDecryptUnit
    pread
};

###
### neverallow rules
###

# mediaserver should never execute any executable without a
# domain transition
neverallow mediaserver { file_type fs_type }:file execute_no_trans;