commit 75806ef3c529c019ab002072cca7951b91f245aa
author Inseob Kim <inseob@google.com> Wed Mar 27 17:18:41 2024 +0900
committer Inseob Kim <inseob@google.com> Thu Mar 28 00:33:46 2024 +0000
tree cbd0c46779774cd09f127c0e20144c39dff08dca
parent e98c6d2b38114e0819a558ef5e0d2793a30eebff

Minimize public policy

Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12

private/mediaserver.te

diff --git a/private/mediaserver.te b/private/mediaserver.te
index 5fc13a8..d72caf6 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -33,3 +33,157 @@
 # Allow mediaserver to communicate with Surface provided
 # by virtual camera.
 binder_call(mediaserver, virtual_camera)
+
+typeattribute mediaserver mlstrustedsubject;
+
+net_domain(mediaserver)
+
+r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, fuse)
+r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
+
+# stat /proc/self
+allow mediaserver proc:lnk_file getattr;
+
+# open /vendor/lib/mediadrm
+allow mediaserver system_file:dir r_dir_perms;
+
+userdebug_or_eng(`
+  # ptrace to processes in the same domain for memory leak detection
+  allow mediaserver self:process ptrace;
+')
+
+binder_use(mediaserver)
+binder_call(mediaserver, binderservicedomain)
+binder_call(mediaserver, appdomain)
+binder_service(mediaserver)
+
+allow mediaserver media_data_file:dir create_dir_perms;
+allow mediaserver media_data_file:file create_file_perms;
+allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
+allow mediaserver { sdcard_type fuse }:file write;
+allow mediaserver gpu_device:chr_file rw_file_perms;
+allow mediaserver gpu_device:dir r_dir_perms;
+allow mediaserver video_device:dir r_dir_perms;
+allow mediaserver video_device:chr_file rw_file_perms;
+
+# Read resources from open apk files passed over Binder.
+allow mediaserver apk_data_file:file { read getattr };
+allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow mediaserver radio_data_file:file { read getattr };
+
+# Use pipes passed over Binder from app domains.
+allow mediaserver appdomain:fifo_file { getattr read write };
+
+allow mediaserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system_server:fifo_file r_file_perms;
+
+r_dir_file(mediaserver, media_rw_data_file)
+
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaserver, drmserver, drmserver)
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(mediaserver, bluetooth, bluetooth)
+
+# Needed for mediaserver to send information to statsd socket.
+unix_socket_send(mediaserver, statsdw, statsd)
+
+add_service(mediaserver, mediaserver_service)
+allow mediaserver activity_service:service_manager find;
+allow mediaserver appops_service:service_manager find;
+allow mediaserver audio_service:service_manager find;
+allow mediaserver audioserver_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
+allow mediaserver batterystats_service:service_manager find;
+allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaextractor_service:service_manager find;
+allow mediaserver mediametrics_service:service_manager find;
+allow mediaserver media_session_service:service_manager find;
+allow mediaserver package_native_service:service_manager find;
+allow mediaserver permission_service:service_manager find;
+allow mediaserver permission_checker_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver processinfo_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
+allow mediaserver surfaceflinger_service:service_manager find;
+
+# for ModDrm/MediaPlayer
+allow mediaserver mediadrmserver_service:service_manager find;
+
+# For hybrid interfaces
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
+# /oem access
+allow mediaserver oemfs:dir search;
+allow mediaserver oemfs:file r_file_perms;
+
+# /oem boot animation file
+allow mediaserver bootanim_oem_file:file r_file_perms;
+
+# /vendor apk access
+allow mediaserver vendor_app_file:file { read map getattr };
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+    consumeRights
+    setPlaybackStatus
+    openDecryptSession
+    closeDecryptSession
+    initializeDecryptUnit
+    decrypt
+    finalizeDecryptUnit
+    pread
+};
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow mediaserver media_rw_data_file:dir create_dir_perms;
+allow mediaserver media_rw_data_file:file create_file_perms;
+
+# Access to media in /data/preloads
+allow mediaserver preloads_media_file:file { getattr read ioctl };
+
+allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
+allow mediaserver hal_camera:fd use;
+
+allow mediaserver system_server:fd use;
+
+# b/120491318 allow mediaserver to access void:fd
+allow mediaserver vold:fd use;
+
+# overlay package access
+allow mediaserver vendor_overlay_file:file { read getattr map };
+
+hal_client_domain(mediaserver, hal_allocator)
+
+###
+### neverallow rules
+###
+
+# mediaserver should never execute any executable without a
+# domain transition
+neverallow mediaserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;