rename mediaanalytics->mediametrics, wider access reflect the change from "mediaanalytics" to "mediametrics" Also incorporates a broader access to the service -- e.g. anyone. This reflects that a number of metrics submissions come from application space and not only from our controlled, trusted media related processes. The metrics service (in another commit) checks on the source of any incoming metrics data and limits what is allowed from unprivileged clients. Bug: 34615027 Test: clean build, service running and accessible Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42

commit: 391854000a1331742a244b10cfd43b574bea4aea [log] [tgz]
author: Ray Essick <essick@google.com> Tue Jan 24 12:53:45 2017 -0800
committer: Ray Essick <essick@google.com> Tue Jan 24 16:57:19 2017 -0800
tree: 7b12980eb8892fadcb87b149e6e8bba65d5e8551
parent: 9559550791dad7dfc0c02adcc43b5434ecb30302 [diff]
diff --git a/public/mediaanalytics.te b/public/mediaanalytics.te
deleted file mode 100644
index ea3f054..0000000
--- a/public/mediaanalytics.te
+++ /dev/null

@@ -1,26 +0,0 @@
-# mediaanalytics - daemon for collecting media analytics data
-type mediaanalytics, domain;
-type mediaanalytics_exec, exec_type, file_type;
-
-
-binder_use(mediaanalytics)
-binder_call(mediaanalytics, binderservicedomain)
-binder_service(mediaanalytics)
-
-allow mediaanalytics mediaanalytics_service:service_manager add;
-
-allow mediaanalytics system_server:fd use;
-
-r_dir_file(mediaanalytics, cgroup)
-allow mediaanalytics proc_meminfo:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# mediaanalytics should never execute any executable without a
-# domain transition
-neverallow mediaanalytics { file_type fs_type }:file execute_no_trans;
-
-# mediaanalytics should never need network access. Disallow network sockets.
-neverallow mediaanalytics domain:{ tcp_socket udp_socket rawip_socket } *;

diff --git a/public/mediacodec.te b/public/mediacodec.te
index 1d6f7c1..27b27e0 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te

@@ -10,7 +10,7 @@
 binder_service(mediacodec)
 
 allow mediacodec mediacodec_service:service_manager add;
-allow mediacodec mediaanalytics_service:service_manager find;
+allow mediacodec mediametrics_service:service_manager find;
 allow mediacodec surfaceflinger_service:service_manager find;
 allow mediacodec gpu_device:chr_file rw_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;

diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index c9e28d7..8173657 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te

@@ -47,7 +47,7 @@
 
 allow mediadrmserver mediadrmserver_service:service_manager { add find };
 allow mediadrmserver mediaserver_service:service_manager { add find };
-allow mediadrmserver mediaanalytics_service:service_manager find;
+allow mediadrmserver mediametrics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 

diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index e5cf27e..7187c22 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te

@@ -10,7 +10,7 @@
 binder_service(mediaextractor)
 
 allow mediaextractor mediaextractor_service:service_manager add;
-allow mediaextractor mediaanalytics_service:service_manager find;
+allow mediaextractor mediametrics_service:service_manager find;
 
 allow mediaextractor system_server:fd use;
 

diff --git a/public/mediametrics.te b/public/mediametrics.te
new file mode 100644
index 0000000..9b4409b
--- /dev/null
+++ b/public/mediametrics.te

@@ -0,0 +1,26 @@
+# mediametrics - daemon for collecting media.metrics data
+type mediametrics, domain;
+type mediametrics_exec, exec_type, file_type;
+
+
+binder_use(mediametrics)
+binder_call(mediametrics, binderservicedomain)
+binder_service(mediametrics)
+
+allow mediametrics mediametrics_service:service_manager add;
+
+allow mediametrics system_server:fd use;
+
+r_dir_file(mediametrics, cgroup)
+allow mediametrics proc_meminfo:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# mediametrics should never execute any executable without a
+# domain transition
+neverallow mediametrics { file_type fs_type }:file execute_no_trans;
+
+# mediametrics should never need network access. Disallow network sockets.
+neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;

diff --git a/public/mediaserver.te b/public/mediaserver.te
index 47a7738..34d567c 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te

@@ -87,7 +87,7 @@
 allow mediaserver mediaextractor_service:service_manager find;
 allow mediaserver mediacodec_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
-allow mediaserver mediaanalytics_service:service_manager find;
+allow mediaserver mediametrics_service:service_manager find;
 allow mediaserver media_session_service:service_manager find;
 allow mediaserver permission_service:service_manager find;
 allow mediaserver power_service:service_manager find;

diff --git a/public/nfc.te b/public/nfc.te
index 9296a72..9a8b471 100644
--- a/public/nfc.te
+++ b/public/nfc.te

@@ -21,6 +21,7 @@
 allow nfc audioserver_service:service_manager find;
 allow nfc drmserver_service:service_manager find;
 allow nfc mediacodec_service:service_manager find;
+allow nfc mediametrics_service:service_manager find;
 allow nfc mediaextractor_service:service_manager find;
 allow nfc mediaserver_service:service_manager find;
 

diff --git a/public/service.te b/public/service.te
index d8da930..adcb177 100644
--- a/public/service.te
+++ b/public/service.te

@@ -13,7 +13,7 @@
 type installd_service,          service_manager_type;
 type keystore_service,          service_manager_type;
 type mediaserver_service,       service_manager_type;
-type mediaanalytics_service,    service_manager_type;
+type mediametrics_service,      service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;

diff --git a/public/system_server.te b/public/system_server.te
index e11476c..5dc99ab 100644
--- a/public/system_server.te
+++ b/public/system_server.te

@@ -199,7 +199,7 @@
   mediadrmserver
   mediaextractor
   mediaserver
-  mediaanalytics
+  mediametrics
   sdcardd
   surfaceflinger
 }:process { signal };
@@ -492,7 +492,7 @@
 allow system_server installd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
-allow system_server mediaanalytics_service:service_manager find;
+allow system_server mediametrics_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
 allow system_server mediadrmserver_service:service_manager find;
commit	391854000a1331742a244b10cfd43b574bea4aea	[log] [tgz]
author	Ray Essick <essick@google.com>	Tue Jan 24 12:53:45 2017 -0800
committer	Ray Essick <essick@google.com>	Tue Jan 24 16:57:19 2017 -0800
tree	7b12980eb8892fadcb87b149e6e8bba65d5e8551
parent	9559550791dad7dfc0c02adcc43b5434ecb30302 [diff]