commit 090f4a4d9fce4b672054f0ddd9a487eca8a0e3b6
author Ray Essick <essick@google.com> Fri Dec 02 11:26:54 2016 -0800
committer Ray Essick <essick@google.com> Sat Dec 03 00:06:20 2016 +0000
tree cbf01f268df3fd99c7fd0016a651ed8450f7e397
parent 17c675b327727b180e5096fb76ae6ad9411d2ddc

Allow access to mediaanalytics service

media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.

Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca

public/mediaanalytics.te

diff --git a/public/mediaanalytics.te b/public/mediaanalytics.te
new file mode 100644
index 0000000..ea3f054
--- /dev/null
+++ b/public/mediaanalytics.te
@@ -0,0 +1,26 @@
+# mediaanalytics - daemon for collecting media analytics data
+type mediaanalytics, domain;
+type mediaanalytics_exec, exec_type, file_type;
+
+
+binder_use(mediaanalytics)
+binder_call(mediaanalytics, binderservicedomain)
+binder_service(mediaanalytics)
+
+allow mediaanalytics mediaanalytics_service:service_manager add;
+
+allow mediaanalytics system_server:fd use;
+
+r_dir_file(mediaanalytics, cgroup)
+allow mediaanalytics proc_meminfo:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# mediaanalytics should never execute any executable without a
+# domain transition
+neverallow mediaanalytics { file_type fs_type }:file execute_no_trans;
+
+# mediaanalytics should never need network access. Disallow network sockets.
+neverallow mediaanalytics domain:{ tcp_socket udp_socket rawip_socket } *;

public/mediacodec.te

diff --git a/public/mediacodec.te b/public/mediacodec.te
index a1d90a0..1d6f7c1 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -10,6 +10,7 @@
 binder_service(mediacodec)
 
 allow mediacodec mediacodec_service:service_manager add;
+allow mediacodec mediaanalytics_service:service_manager find;
 allow mediacodec surfaceflinger_service:service_manager find;
 allow mediacodec gpu_device:chr_file rw_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;

public/mediadrmserver.te

diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index ba4fc9b..b08664f 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -47,6 +47,7 @@
 
 allow mediadrmserver mediadrmserver_service:service_manager { add find };
 allow mediadrmserver mediaserver_service:service_manager { add find };
+allow mediadrmserver mediaanalytics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 

public/mediaextractor.te

diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index ec0ce31..e5cf27e 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -10,6 +10,7 @@
 binder_service(mediaextractor)
 
 allow mediaextractor mediaextractor_service:service_manager add;
+allow mediaextractor mediaanalytics_service:service_manager find;
 
 allow mediaextractor system_server:fd use;
 

public/mediaserver.te

diff --git a/public/mediaserver.te b/public/mediaserver.te
index 249f63f..2acd629 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -87,6 +87,7 @@
 allow mediaserver mediaextractor_service:service_manager find;
 allow mediaserver mediacodec_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
+allow mediaserver mediaanalytics_service:service_manager find;
 allow mediaserver media_session_service:service_manager find;
 allow mediaserver permission_service:service_manager find;
 allow mediaserver power_service:service_manager find;

public/service.te

diff --git a/public/service.te b/public/service.te
index b3efed5..6b87435 100644
--- a/public/service.te
+++ b/public/service.te
@@ -11,6 +11,7 @@
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
 type mediaserver_service,       service_manager_type;
+type mediaanalytics_service,    service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;

public/system_server.te

diff --git a/public/system_server.te b/public/system_server.te
index d6fb0a4..4f7f869 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -179,6 +179,7 @@
   mediadrmserver
   mediaextractor
   mediaserver
+  mediaanalytics
   sdcardd
   surfaceflinger
 }:debuggerd dump_backtrace;
@@ -462,6 +463,7 @@
 allow system_server gatekeeper_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
+allow system_server mediaanalytics_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
 allow system_server mediadrmserver_service:service_manager find;