| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # audioserver - audio services daemon |
| 2 | |
| 3 | typeattribute audioserver coredomain; |
| 4 | |
| 5 | type audioserver_exec, exec_type, file_type, system_file_type; |
| 6 | init_daemon_domain(audioserver) |
| 7 | tmpfs_domain(audioserver) |
| 8 | |
| 9 | r_dir_file(audioserver, sdcard_type) |
| 10 | |
| 11 | binder_use(audioserver) |
| 12 | binder_call(audioserver, binderservicedomain) |
| 13 | binder_call(audioserver, appdomain) |
| 14 | binder_service(audioserver) |
| 15 | |
| 16 | hal_client_domain(audioserver, hal_allocator) |
| 17 | # /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so |
| 18 | r_dir_file(audioserver, system_file) |
| 19 | |
| 20 | hal_client_domain(audioserver, hal_audio) |
| 21 | |
| 22 | userdebug_or_eng(` |
| 23 | # used for TEE sink - pcm capture for debug. |
| 24 | allow audioserver media_data_file:dir create_dir_perms; |
| 25 | allow audioserver audioserver_data_file:dir create_dir_perms; |
| 26 | allow audioserver audioserver_data_file:file create_file_perms; |
| 27 | |
| 28 | # ptrace to processes in the same domain for memory leak detection |
| 29 | allow audioserver self:process ptrace; |
| 30 | ') |
| 31 | |
| 32 | add_service(audioserver, audioserver_service) |
| 33 | allow audioserver activity_service:service_manager find; |
| 34 | allow audioserver appops_service:service_manager find; |
| 35 | allow audioserver batterystats_service:service_manager find; |
| 36 | allow audioserver external_vibrator_service:service_manager find; |
| 37 | allow audioserver package_native_service:service_manager find; |
| 38 | allow audioserver permission_service:service_manager find; |
| 39 | allow audioserver permission_checker_service:service_manager find; |
| 40 | allow audioserver power_service:service_manager find; |
| 41 | allow audioserver scheduling_policy_service:service_manager find; |
| 42 | allow audioserver mediametrics_service:service_manager find; |
| 43 | allow audioserver sensor_privacy_service:service_manager find; |
| 44 | allow audioserver soundtrigger_middleware_service:service_manager find; |
| 45 | |
| 46 | # Allow read/write access to bluetooth-specific properties |
| 47 | set_prop(audioserver, bluetooth_a2dp_offload_prop) |
| 48 | set_prop(audioserver, bluetooth_audio_hal_prop) |
| 49 | set_prop(audioserver, bluetooth_prop) |
| 50 | set_prop(audioserver, exported_bluetooth_prop) |
| 51 | |
| 52 | # Grant access to audio files to audioserver |
| 53 | allow audioserver audio_data_file:dir ra_dir_perms; |
| 54 | allow audioserver audio_data_file:file create_file_perms; |
| 55 | |
| 56 | # allow access to ALSA MMAP FDs for AAudio API |
| 57 | allow audioserver audio_device:chr_file { read write }; |
| 58 | |
| 59 | not_full_treble(`allow audioserver audio_device:dir r_dir_perms;') |
| 60 | not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;') |
| 61 | |
| 62 | # For A2DP bridge which is loaded directly into audioserver |
| 63 | unix_socket_connect(audioserver, bluetooth, bluetooth) |
| 64 | |
| 65 | # Allow shell commands from ADB and shell for CTS testing/dumping |
| 66 | allow audioserver adbd:fd use; |
| 67 | allow audioserver adbd:unix_stream_socket { read write }; |
| 68 | allow audioserver shell:fifo_file { read write }; |
| 69 | |
| 70 | # Allow shell commands from ADB for CTS testing/dumping |
| 71 | userdebug_or_eng(` |
| 72 | allow audioserver su:fd use; |
| 73 | allow audioserver su:fifo_file { read write }; |
| 74 | allow audioserver su:unix_stream_socket { read write }; |
| 75 | ') |
| 76 | |
| 77 | # Allow write access to log tag property |
| 78 | set_prop(audioserver, log_tag_prop); |
| 79 | |
| 80 | ### |
| 81 | ### neverallow rules |
| 82 | ### |
| 83 | |
| 84 | # audioserver should never execute any executable without a |
| 85 | # domain transition |
| 86 | neverallow audioserver { file_type fs_type }:file execute_no_trans; |
| 87 | |
| 88 | # The goal of the mediaserver split is to place media processing code into |
| 89 | # restrictive sandboxes with limited responsibilities and thus limited |
| 90 | # permissions. Example: Audioserver is only responsible for controlling audio |
| 91 | # hardware and processing audio content. Cameraserver does the same for camera |
| 92 | # hardware/content. Etc. |
| 93 | # |
| 94 | # Media processing code is inherently risky and thus should have limited |
| 95 | # permissions and be isolated from the rest of the system and network. |
| 96 | # Lengthier explanation here: |
| 97 | # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html |
| Yifan Hong | 140072f | 2021-06-08 10:32:18 -0700 | [diff] [blame] | 98 | neverallow audioserver domain:{ udp_socket rawip_socket } *; |
| 99 | neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *; |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 100 | |
| 101 | # Allow using wake locks |
| 102 | wakelock_use(audioserver) |
| 103 | |
| 104 | # Allow reading audio config props, e.g. af.fast_track_multiplier |
| 105 | get_prop(audioserver, audio_config_prop) |