Enable permission checking by binderservicedomain. am: 000b69499a am: e25588fba8
am: 121a70bd05
* commit '121a70bd052039de208ba3c2e3a32b79609d8d81':
Enable permission checking by binderservicedomain.
diff --git a/bluetooth.te b/bluetooth.te
index 4f240fb..5016bcf 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -3,8 +3,6 @@
app_domain(bluetooth)
net_domain(bluetooth)
-wakelock_use(bluetooth);
-
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
@@ -77,4 +75,4 @@
# Superuser capabilities.
# bluetooth requires net_admin and wake_alarm.
neverallow bluetooth self:capability ~net_admin;
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
+neverallow bluetooth self:capability2 ~wake_alarm;
diff --git a/domain.te b/domain.te
index 69cf04d..d41cf39 100644
--- a/domain.te
+++ b/domain.te
@@ -189,7 +189,6 @@
-init
-ueventd
-vold
- -recovery
} self:capability mknod;
# Limit raw I/O to these whitelisted domains.
diff --git a/dumpstate.te b/dumpstate.te
index 963f8cd..7fe78e3 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,9 +48,9 @@
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+allow dumpstate { drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
# Ask debuggerd for the backtraces of these processes.
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file_contexts b/file_contexts
index 107c73c..d69c5e5 100644
--- a/file_contexts
+++ b/file_contexts
@@ -164,6 +164,7 @@
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/rild u:object_r:rild_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
diff --git a/mediaextractor.te b/mediaextractor.te
new file mode 100644
index 0000000..68ab2f6
--- /dev/null
+++ b/mediaextractor.te
@@ -0,0 +1,45 @@
+# mediaextractor - multimedia daemon
+type mediaextractor, domain;
+type mediaextractor_exec, exec_type, file_type;
+
+typeattribute mediaextractor mlstrustedsubject;
+
+init_daemon_domain(mediaextractor)
+
+binder_use(mediaextractor)
+binder_call(mediaextractor, binderservicedomain)
+binder_call(mediaextractor, appdomain)
+binder_service(mediaextractor)
+
+# Required by Widevine DRM (b/22990512)
+allow mediaextractor self:process execmem;
+
+allow mediaextractor kernel:system module_request;
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaextractor, drmserver, drmserver)
+
+allow mediaextractor drmserver_service:service_manager find;
+allow mediaextractor mediaextractor_service:service_manager { add find };
+allow mediaextractor processinfo_service:service_manager find;
+
+use_drmservice(mediaextractor)
+allow mediaextractor drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
+
+###
+### neverallow rules
+###
+
+# mediaextractor should never execute any executable without a
+# domain transition
+neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
diff --git a/mediaserver.te b/mediaserver.te
index 7c180cb..9ced4d3 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -85,6 +85,7 @@
allow mediaserver cameraproxy_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
diff --git a/nfc.te b/nfc.te
index 71841be..882725f 100644
--- a/nfc.te
+++ b/nfc.te
@@ -19,6 +19,7 @@
allow nfc drmserver_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
allow nfc surfaceflinger_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 2afe4d8..f65548b 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -36,6 +36,7 @@
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediaextractor_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
diff --git a/priv_app.te b/priv_app.te
index 279a933..79b059d 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -21,6 +21,7 @@
allow priv_app drmserver_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
+allow priv_app mediaextractor_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app surfaceflinger_service:service_manager find;
diff --git a/service.te b/service.te
index c1772d4..49af917 100644
--- a/service.te
+++ b/service.te
@@ -7,6 +7,7 @@
type inputflinger_service, service_manager_type;
type keystore_service, service_manager_type;
type mediaserver_service, service_manager_type;
+type mediaextractor_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 85dcd3d..f6c458d 100644
--- a/service_contexts
+++ b/service_contexts
@@ -66,6 +66,7 @@
media.camera.proxy u:object_r:cameraproxy_service:s0
media.log u:object_r:mediaserver_service:s0
media.player u:object_r:mediaserver_service:s0
+media.extractor u:object_r:mediaextractor_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.radio u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:mediaserver_service:s0
diff --git a/system_server.te b/system_server.te
index b176243..e63cd52 100644
--- a/system_server.te
+++ b/system_server.te
@@ -133,10 +133,11 @@
binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Read /proc/pid files for dumping stack traces of native processes.
r_dir_file(system_server, mediaserver)
+r_dir_file(system_server, mediaextractor)
r_dir_file(system_server, sdcardd)
r_dir_file(system_server, surfaceflinger)
r_dir_file(system_server, inputflinger)
@@ -381,6 +382,7 @@
allow system_server gatekeeper_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
+allow system_server mediaextractor_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
@@ -432,6 +434,9 @@
# Allow system process to relabel the fingerprint directory after mkdir
allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto};
+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/untrusted_app.te b/untrusted_app.te
index 7422fb2..fa7152f 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -80,6 +80,8 @@
allow untrusted_app drmserver_service:service_manager find;
allow untrusted_app healthd_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;
+allow untrusted_app mediaextractor_service:service_manager find;
+allow untrusted_app mediaextractor_service:service_manager find;
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;