rename mediaanalytics->mediametrics, wider access
reflect the change from "mediaanalytics" to "mediametrics"
Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.
Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
diff --git a/private/file_contexts b/private/file_contexts
index 22a3669..05b6731 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -183,7 +183,7 @@
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
-/system/bin/mediaanalytics u:object_r:mediaanalytics_exec:s0
+/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediacodec u:object_r:mediacodec_exec:s0
diff --git a/private/mediaanalytics.te b/private/mediametrics.te
similarity index 77%
rename from private/mediaanalytics.te
rename to private/mediametrics.te
index 0092fbe..11f17d2 100644
--- a/private/mediaanalytics.te
+++ b/private/mediametrics.te
@@ -1,3 +1,3 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-init_daemon_domain(mediaanalytics)
+init_daemon_domain(mediametrics)
diff --git a/private/platform_app.te b/private/platform_app.te
index ee1c9d3..8d03251 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,6 +41,7 @@
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediametrics_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
allow platform_app mediacodec_service:service_manager find;
allow platform_app mediadrmserver_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 95ef3e8..568afe6 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -24,6 +24,7 @@
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
allow priv_app mediacodec_service:service_manager find;
+allow priv_app mediametrics_service:service_manager find;
allow priv_app mediadrmserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index de0caa9..ebb3265 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -78,7 +78,7 @@
media.camera.proxy u:object_r:cameraproxy_service:s0
media.log u:object_r:audioserver_service:s0
media.player u:object_r:mediaserver_service:s0
-media.analytics u:object_r:mediaanalytics_service:s0
+media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 57c82de..643f952 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -72,6 +72,7 @@
allow untrusted_app mediaserver_service:service_manager find;
allow untrusted_app mediaextractor_service:service_manager find;
allow untrusted_app mediacodec_service:service_manager find;
+allow untrusted_app mediametrics_service:service_manager find;
allow untrusted_app mediadrmserver_service:service_manager find;
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
diff --git a/public/mediaanalytics.te b/public/mediaanalytics.te
deleted file mode 100644
index ea3f054..0000000
--- a/public/mediaanalytics.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# mediaanalytics - daemon for collecting media analytics data
-type mediaanalytics, domain;
-type mediaanalytics_exec, exec_type, file_type;
-
-
-binder_use(mediaanalytics)
-binder_call(mediaanalytics, binderservicedomain)
-binder_service(mediaanalytics)
-
-allow mediaanalytics mediaanalytics_service:service_manager add;
-
-allow mediaanalytics system_server:fd use;
-
-r_dir_file(mediaanalytics, cgroup)
-allow mediaanalytics proc_meminfo:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# mediaanalytics should never execute any executable without a
-# domain transition
-neverallow mediaanalytics { file_type fs_type }:file execute_no_trans;
-
-# mediaanalytics should never need network access. Disallow network sockets.
-neverallow mediaanalytics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 1d6f7c1..27b27e0 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -10,7 +10,7 @@
binder_service(mediacodec)
allow mediacodec mediacodec_service:service_manager add;
-allow mediacodec mediaanalytics_service:service_manager find;
+allow mediacodec mediametrics_service:service_manager find;
allow mediacodec surfaceflinger_service:service_manager find;
allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index c9e28d7..8173657 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -47,7 +47,7 @@
allow mediadrmserver mediadrmserver_service:service_manager { add find };
allow mediadrmserver mediaserver_service:service_manager { add find };
-allow mediadrmserver mediaanalytics_service:service_manager find;
+allow mediadrmserver mediametrics_service:service_manager find;
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index e5cf27e..7187c22 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -10,7 +10,7 @@
binder_service(mediaextractor)
allow mediaextractor mediaextractor_service:service_manager add;
-allow mediaextractor mediaanalytics_service:service_manager find;
+allow mediaextractor mediametrics_service:service_manager find;
allow mediaextractor system_server:fd use;
diff --git a/public/mediametrics.te b/public/mediametrics.te
new file mode 100644
index 0000000..9b4409b
--- /dev/null
+++ b/public/mediametrics.te
@@ -0,0 +1,26 @@
+# mediametrics - daemon for collecting media.metrics data
+type mediametrics, domain;
+type mediametrics_exec, exec_type, file_type;
+
+
+binder_use(mediametrics)
+binder_call(mediametrics, binderservicedomain)
+binder_service(mediametrics)
+
+allow mediametrics mediametrics_service:service_manager add;
+
+allow mediametrics system_server:fd use;
+
+r_dir_file(mediametrics, cgroup)
+allow mediametrics proc_meminfo:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# mediametrics should never execute any executable without a
+# domain transition
+neverallow mediametrics { file_type fs_type }:file execute_no_trans;
+
+# mediametrics should never need network access. Disallow network sockets.
+neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 47a7738..34d567c 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -87,7 +87,7 @@
allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediacodec_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
-allow mediaserver mediaanalytics_service:service_manager find;
+allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
diff --git a/public/nfc.te b/public/nfc.te
index 9296a72..9a8b471 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -21,6 +21,7 @@
allow nfc audioserver_service:service_manager find;
allow nfc drmserver_service:service_manager find;
allow nfc mediacodec_service:service_manager find;
+allow nfc mediametrics_service:service_manager find;
allow nfc mediaextractor_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index d8da930..adcb177 100644
--- a/public/service.te
+++ b/public/service.te
@@ -13,7 +13,7 @@
type installd_service, service_manager_type;
type keystore_service, service_manager_type;
type mediaserver_service, service_manager_type;
-type mediaanalytics_service, service_manager_type;
+type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
diff --git a/public/system_server.te b/public/system_server.te
index e11476c..5dc99ab 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -199,7 +199,7 @@
mediadrmserver
mediaextractor
mediaserver
- mediaanalytics
+ mediametrics
sdcardd
surfaceflinger
}:process { signal };
@@ -492,7 +492,7 @@
allow system_server installd_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
-allow system_server mediaanalytics_service:service_manager find;
+allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
allow system_server mediacodec_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;