Allow mediaextractor to load libraries from apk_data_file
This is an experimental feature only on userdebug and eng build.
Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 05ef5ed..cf9d0d3 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -243,3 +243,6 @@
-untrusted_app_visible_halserver
}:binder { call transfer };
')
+
+# Untrusted apps are not allowed to find mediaextractor update service.
+neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f6889ae..3a906e9 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -52,6 +52,7 @@
lowpan_device
lowpan_prop
lowpan_service
+ mediaextractor_update_service
mediaprovider_tmpfs
netd_stable_secret_prop
network_watchlist_data_file
diff --git a/private/service_contexts b/private/service_contexts
index c1ea51a..373c7cc 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -88,6 +88,7 @@
media.player u:object_r:mediaserver_service:s0
media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
+media.extractor.update u:object_r:mediaextractor_update_service:s0
media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 035e8f1..6ebcab5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -746,6 +746,11 @@
allow system_server user_profile_data_file:dir { search };
allow system_server user_profile_data_file:file { getattr open read };
+userdebug_or_eng(`
+ # Allow system server to notify mediaextractor of the plugin update.
+ allow system_server mediaextractor_update_service:service_manager find;
+')
+
###
### Neverallow rules
###
diff --git a/public/domain.te b/public/domain.te
index 6a3d270..5879e26 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -416,6 +416,7 @@
userdebug_or_eng(`-su')
-webview_zygote
-zygote
+ userdebug_or_eng(`-mediaextractor')
} {
file_type
-system_file
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 8ba8913..44387fd 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -37,6 +37,15 @@
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
+userdebug_or_eng(`
+ # Allow extractor to add update service.
+ add_service(mediaextractor, mediaextractor_update_service)
+
+ # Allow extractor to load media extractor plugins from update apk.
+ allow mediaextractor apk_data_file:dir search;
+ allow mediaextractor apk_data_file:file { execute open };
+')
+
###
### neverallow rules
###
@@ -63,4 +72,5 @@
neverallow mediaextractor {
data_file_type
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+ userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
}:file open;
diff --git a/public/service.te b/public/service.te
index 44c3ef6..6f9d47c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -16,6 +16,7 @@
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
+type mediaextractor_update_service, service_manager_type;
type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;