From af9238c9b801325a289b5766fc9dc7a86d4dd0f5 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 23 Oct 2013 14:23:43 -0400 Subject: [PATCH] Confine mediaserver, but leave it permissive for now. Confine the mediaserver domain, restoring our rules for it, but leave it permissive until sufficient testing has been performed. Change-Id: I3d10ee16f5125b11295bc40ff6f2e14080b4bd00 Signed-off-by: Stephen Smalley --- mediaserver.te | 52 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/mediaserver.te b/mediaserver.te index 1b94d86d6..1a065b070 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -1,7 +1,57 @@ # mediaserver - multimedia daemon type mediaserver, domain; +permissive mediaserver; type mediaserver_exec, exec_type, file_type; +typeattribute mediaserver mlstrustedsubject; + net_domain(mediaserver) init_daemon_domain(mediaserver) -unconfined_domain(mediaserver) +unix_socket_connect(mediaserver, property, init) + +r_dir_file(mediaserver, sdcard_type) + +binder_use(mediaserver) +binder_call(mediaserver, binderservicedomain) +binder_call(mediaserver, appdomain) +binder_service(mediaserver) + +allow mediaserver self:process execmem; +allow mediaserver kernel:system module_request; +allow mediaserver app_data_file:dir search; +allow mediaserver app_data_file:file rw_file_perms; +allow mediaserver platform_app_data_file:file { getattr read }; +allow mediaserver sdcard_type:file write; +allow mediaserver graphics_device:chr_file rw_file_perms; +allow mediaserver video_device:chr_file rw_file_perms; +allow mediaserver audio_device:dir r_dir_perms; +allow mediaserver qemu_device:chr_file rw_file_perms; +allow mediaserver tee_device:chr_file rw_file_perms; +allow mediaserver audio_prop:property_service set; + +# Access audio devices at all. +allow mediaserver audio_device:chr_file rw_file_perms; + +# XXX Label with a specific type? +allow mediaserver sysfs:file rw_file_perms; + +# XXX Why? +allow mediaserver { apk_data_file asec_apk_file }:file { read getattr }; + +# Access camera device. +allow mediaserver camera_device:chr_file rw_file_perms; +allow mediaserver rpmsg_device:chr_file rw_file_perms; + +# Inter System processes communicate over named pipe (FIFO) +allow mediaserver system_server:fifo_file r_file_perms; + +# Camera calibration +allow mediaserver camera_calibration_file:dir r_dir_perms; +allow mediaserver camera_calibration_file:file r_file_perms; + +# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid +allow mediaserver qtaguid_proc:file rw_file_perms; +allow mediaserver qtaguid_device:chr_file r_file_perms; + +# Allow abstract socket connection +allow mediaserver rild:unix_stream_socket { connectto read write setopt };