Merge "Support fine grain read access control for properties" am: 6fa6bdb6ee am: c28d909159
am: 67100b5f6e
* commit '67100b5f6ebb3595a6f9114ebc0704ca0fd4384f':
Support fine grain read access control for properties
diff --git a/adbd.te b/adbd.te
index a35d570..a8f3017 100644
--- a/adbd.te
+++ b/adbd.te
@@ -74,9 +74,9 @@
')
# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
+allow adbd { app_data_file autoplay_data_file }:dir search;
+allow adbd { app_data_file autoplay_data_file }:sock_file write;
+allow adbd { appdomain autoplay_app }:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
diff --git a/autoplay_app.te b/autoplay_app.te
new file mode 100644
index 0000000..19e337b
--- /dev/null
+++ b/autoplay_app.te
@@ -0,0 +1,99 @@
+###
+### AutoPlay apps.
+###
+### This file defines the security policy for apps with the autoplay
+### feature.
+###
+### The autoplay_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to autoplay to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as autoplay at install time.
+type autoplay_app, domain;
+
+# allow JITing
+allow autoplay_app self:process execmem;
+allow autoplay_app ashmem_device:chr_file execute;
+
+# Define and allow access to our own type for ashmem regions.
+# Label ashmem objects with our own unique type.
+tmpfs_domain(autoplay_app)
+# Map with PROT_EXEC.
+allow autoplay_app autoplay_app_tmpfs:file execute;
+
+# Send logcat messages to logd.
+write_logd(autoplay_app)
+
+# Receive and use open file descriptors inherited from zygote.
+allow autoplay_app zygote:fd use;
+
+# Notify zygote of death;
+allow autoplay_app zygote:process sigchld;
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow autoplay_app zygote:unix_dgram_socket write;
+
+# App sandbox file accesses.
+allow autoplay_app autoplay_data_file:dir create_dir_perms;
+allow autoplay_app autoplay_data_file:{ file sock_file fifo_file } create_file_perms;
+
+# For /acct/uid/*/tasks.
+allow autoplay_app cgroup:dir { search write };
+allow autoplay_app cgroup:file w_file_perms;
+
+# For art.
+allow autoplay_app dalvikcache_data_file:file { execute r_file_perms };
+allow autoplay_app dalvikcache_data_file:lnk_file r_file_perms;
+allow autoplay_app dalvikcache_data_file:dir getattr;
+
+# debugfs access
+allow autoplay_app debugfs:dir r_dir_perms;
+allow autoplay_app debugfs:file w_file_perms;
+
+# Grant GPU access. autoplay_app needs that to render the standard UI.
+allow autoplay_app gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(autoplay_app)
+# Perform binder IPC to binder services.
+binder_call(autoplay_app, surfaceflinger)
+binder_call(autoplay_app, system_server)
+
+# Allow read access to ion memory allocation device
+allow autoplay_app ion_device:chr_file { read open };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow autoplay_app system_server:fifo_file rw_file_perms;
+allow autoplay_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow autoplay_app system_server:tcp_socket { read write getattr getopt shutdown };
+
+# Inherit or receive open files from system_server.
+allow autoplay_app system_server:fd use;
+
+# Communicate with surfaceflinger.
+allow autoplay_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# Read files already opened under /data.
+allow autoplay_app system_data_file:file { getattr read };
+allow autoplay_app system_data_file:lnk_file read;
+
+# System file accesses. Check for libraries
+allow autoplay_app system_file:dir getattr;
+
+###
+### neverallow rules
+###
+
+# Receive or send uevent messages.
+neverallow autoplay_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow autoplay_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow autoplay_app debugfs:file read;
+
+# execute gpu_device
+neverallow autoplay_app gpu_device:chr_file execute;
diff --git a/bluetooth.te b/bluetooth.te
index 826856c..c4b9ba2 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -3,8 +3,6 @@
app_domain(bluetooth)
net_domain(bluetooth)
-wakelock_use(bluetooth);
-
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
@@ -65,4 +63,4 @@
# Superuser capabilities.
# bluetooth requires net_admin and wake_alarm.
neverallow bluetooth self:capability ~net_admin;
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
+neverallow bluetooth self:capability2 ~wake_alarm;
diff --git a/domain.te b/domain.te
index 02b884f..3aec211 100644
--- a/domain.te
+++ b/domain.te
@@ -135,7 +135,6 @@
-init
-ueventd
-vold
- -recovery
} self:capability mknod;
# Limit raw I/O to these whitelisted domains.
@@ -232,6 +231,7 @@
neverallow {
domain
-appdomain
+ -autoplay_app
-dumpstate
-shell
userdebug_or_eng(`-su')
diff --git a/drmserver.te b/drmserver.te
index 3b654cc..9a9cfc0 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -10,7 +10,7 @@
# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system_server)
-binder_call(drmserver, appdomain)
+binder_call(drmserver, { appdomain autoplay_app })
binder_service(drmserver)
# Perform Binder IPC to mediaserver
@@ -20,7 +20,7 @@
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
+allow drmserver { app_data_file autoplay_data_file}:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr };
r_dir_file(drmserver, efs_file)
diff --git a/dumpstate.te b/dumpstate.te
index 19eacfd..cc38b1d 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -44,13 +44,13 @@
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server }:process signal;
+allow dumpstate { appdomain autoplay_app system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+allow dumpstate { drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
# Ask debuggerd for the backtraces of these processes.
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
@@ -68,7 +68,7 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, appdomain)
+binder_call(dumpstate, { appdomain autoplay_app })
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
diff --git a/file.te b/file.te
index 9251741..7d8a0ba 100644
--- a/file.te
+++ b/file.te
@@ -131,6 +131,7 @@
typealias audio_data_file alias audio_firmware_file;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type;
+type autoplay_data_file, file_type, data_file_type;
# /data/data subdirectory for system UID apps.
type system_app_data_file, file_type, data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
diff --git a/file_contexts b/file_contexts
index 152dfb4..5d60822 100644
--- a/file_contexts
+++ b/file_contexts
@@ -164,6 +164,7 @@
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/rild u:object_r:rild_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
diff --git a/installd.te b/installd.te
index 21cd4f0..379e074 100644
--- a/installd.te
+++ b/installd.te
@@ -86,8 +86,25 @@
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
# Types extracted from seapp_contexts type= fields.
-allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { create_dir_perms relabelfrom relabelto };
-allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+allow installd {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ autoplay_data_file
+}:dir { create_dir_perms relabelfrom relabelto };
+
+allow installd {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ autoplay_data_file
+}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
diff --git a/lmkd.te b/lmkd.te
index 0d641ca..a3b8bfc 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -16,6 +16,8 @@
## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain)
allow lmkd appdomain:file write;
+r_dir_file(lmkd, autoplay_app)
+allow lmkd autoplay_app:file write;
r_dir_file(lmkd, system_server)
allow lmkd system_server:file write;
diff --git a/mediaextractor.te b/mediaextractor.te
new file mode 100644
index 0000000..59fb179
--- /dev/null
+++ b/mediaextractor.te
@@ -0,0 +1,45 @@
+# mediaextractor - multimedia daemon
+type mediaextractor, domain, domain_deprecated;
+type mediaextractor_exec, exec_type, file_type;
+
+typeattribute mediaextractor mlstrustedsubject;
+
+init_daemon_domain(mediaextractor)
+
+binder_use(mediaextractor)
+binder_call(mediaextractor, binderservicedomain)
+binder_call(mediaextractor, appdomain)
+binder_service(mediaextractor)
+
+# Required by Widevine DRM (b/22990512)
+allow mediaextractor self:process execmem;
+
+allow mediaextractor kernel:system module_request;
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaextractor, drmserver, drmserver)
+
+allow mediaextractor drmserver_service:service_manager find;
+allow mediaextractor mediaextractor_service:service_manager { add find };
+allow mediaextractor processinfo_service:service_manager find;
+
+use_drmservice(mediaextractor)
+allow mediaextractor drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
+
+###
+### neverallow rules
+###
+
+# mediaextractor should never execute any executable without a
+# domain transition
+neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
diff --git a/mediaserver.te b/mediaserver.te
index e1c9a54..d924b02 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -11,7 +11,7 @@
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
+binder_call(mediaserver, { appdomain autoplay_app })
binder_service(mediaserver)
# Required by Widevine DRM (b/22990512)
@@ -45,7 +45,7 @@
allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
-allow mediaserver appdomain:fifo_file { getattr read write };
+allow mediaserver { appdomain autoplay_app }:fifo_file { getattr read write };
# Access camera device.
allow mediaserver camera_device:chr_file rw_file_perms;
@@ -85,6 +85,7 @@
allow mediaserver cameraproxy_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
diff --git a/nfc.te b/nfc.te
index 85572e2..e648863 100644
--- a/nfc.te
+++ b/nfc.te
@@ -19,6 +19,7 @@
allow nfc drmserver_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
allow nfc surfaceflinger_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 117b16f..ed28c76 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -36,6 +36,7 @@
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediaextractor_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
diff --git a/priv_app.te b/priv_app.te
index 2ff9a37..c734f58 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -21,6 +21,7 @@
allow priv_app drmserver_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
+allow priv_app mediaextractor_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app surfaceflinger_service:service_manager find;
diff --git a/seapp_contexts b/seapp_contexts
index d8d2240..5d5ad75 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -1,5 +1,6 @@
# Input selectors:
# isSystemServer (boolean)
+# isAutoPlayApp (boolean)
# isOwner (boolean)
# user (string)
# seinfo (string)
@@ -8,6 +9,7 @@
# isPrivApp (boolean)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
+# isAutoPlayApp=true will match apps marked by PackageManager as AutoPlay
# isOwner=true will only match for the owner/primary user.
# isOwner=false will only match for secondary users.
# If unspecified, the entry can match either case.
@@ -22,15 +24,16 @@
#
# Precedence rules:
# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isOwner= before unspecified isOwner= boolean.
-# (3) Specified user= string before unspecified user= string.
-# (4) Fixed user= string before user= prefix (i.e. ending in *).
-# (5) Longer user= prefix before shorter user= prefix.
-# (6) Specified seinfo= string before unspecified seinfo= string.
+# (2) Specified isAutoPlayApp= before unspecified isAutoPlayApp= boolean.
+# (3) Specified isOwner= before unspecified isOwner= boolean.
+# (4) Specified user= string before unspecified user= string.
+# (5) Fixed user= string before user= prefix (i.e. ending in *).
+# (6) Longer user= prefix before shorter user= prefix.
+# (7) Specified seinfo= string before unspecified seinfo= string.
# ':' character is reserved and may not be used.
-# (7) Specified name= string before unspecified name= string.
-# (8) Specified path= string before unspecified path= string.
-# (9) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (8) Specified name= string before unspecified name= string.
+# (9) Specified path= string before unspecified path= string.
+# (10) Specified isPrivApp= before unspecified isPrivApp= boolean.
#
# Outputs:
# domain (string)
@@ -79,6 +82,9 @@
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
+# AutoPlay Apps must run in the autoplay_app domain
+neverallow isAutoPlayApp=true domain=((?!autoplay_app).)*
+
isSystemServer=true domain=system_server
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
@@ -88,5 +94,6 @@
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
+user=_app isAutoPlayApp=true domain=autoplay_app type=autoplay_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app type=app_data_file levelFrom=user
diff --git a/service.te b/service.te
index bac387f..15cf349 100644
--- a/service.te
+++ b/service.te
@@ -7,6 +7,7 @@
type inputflinger_service, service_manager_type;
type keystore_service, service_manager_type;
type mediaserver_service, service_manager_type;
+type mediaextractor_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 85dcd3d..f6c458d 100644
--- a/service_contexts
+++ b/service_contexts
@@ -66,6 +66,7 @@
media.camera.proxy u:object_r:cameraproxy_service:s0
media.log u:object_r:mediaserver_service:s0
media.player u:object_r:mediaserver_service:s0
+media.extractor u:object_r:mediaextractor_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.radio u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:mediaserver_service:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 5d1199d..7a30a47 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -8,7 +8,7 @@
# Perform Binder IPC.
binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, appdomain)
+binder_call(surfaceflinger, { appdomain autoplay_app })
binder_call(surfaceflinger, bootanim)
binder_service(surfaceflinger)
@@ -17,7 +17,7 @@
# Read /proc/pid files for Binder clients.
r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, appdomain)
+r_dir_file(surfaceflinger, { appdomain autoplay_app })
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -38,7 +38,7 @@
set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
+allow surfaceflinger { appdomain autoplay_app }:fd use;
allow surfaceflinger app_data_file:file { read write };
# Use open file provided by bootanim.
diff --git a/system_server.te b/system_server.te
index 96d8773..f6a89af 100644
--- a/system_server.te
+++ b/system_server.te
@@ -73,10 +73,10 @@
allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
-allow system_server appdomain:process { sigkill signal };
+allow system_server { appdomain autoplay_app }:process { sigkill signal };
# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
+allow system_server { appdomain autoplay_app }:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
@@ -132,15 +132,16 @@
binder_call(system_server, binderservicedomain)
binder_call(system_server, gatekeeperd)
binder_call(system_server, fingerprintd)
-binder_call(system_server, appdomain)
+binder_call(system_server, { appdomain autoplay_app })
binder_call(system_server, dumpstate)
binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Read /proc/pid files for dumping stack traces of native processes.
r_dir_file(system_server, mediaserver)
+r_dir_file(system_server, mediaextractor)
r_dir_file(system_server, sdcardd)
r_dir_file(system_server, surfaceflinger)
r_dir_file(system_server, inputflinger)
@@ -247,7 +248,7 @@
# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file autoplay_data_file }:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir r_dir_perms;
@@ -321,8 +322,8 @@
allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets and pipes.
-allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
+allow system_server { appdomain autoplay_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server { appdomain autoplay_app }:{ fifo_file unix_stream_socket } { getattr read write };
# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;
@@ -375,6 +376,7 @@
allow system_server gatekeeper_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
+allow system_server mediaextractor_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
@@ -426,10 +428,16 @@
# Allow system process to relabel the fingerprint directory after mkdir
allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto};
+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
userdebug_or_eng(`
# Allow system server to create and write method traces in /data/misc/trace.
allow system_server method_trace_data_file:dir w_dir_perms;
allow system_server method_trace_data_file:file { create w_file_perms };
+
+ # Allow system server to read dmesg
+ allow system_server kernel:system syslog_read;
')
###
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 5a03b7f..d5853ae 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -204,6 +204,7 @@
key_map rules[] = {
/*Inputs*/
{ .name = "isSystemServer", .type = dt_bool, .dir = dir_in, .data = NULL },
+ { .name = "isAutoPlayApp", .type = dt_bool, .dir = dir_in, .data = NULL },
{ .name = "isOwner", .type = dt_bool, .dir = dir_in, .data = NULL },
{ .name = "user", .type = dt_string, .dir = dir_in, .data = NULL },
{ .name = "seinfo", .type = dt_string, .dir = dir_in, .data = NULL },
diff --git a/untrusted_app.te b/untrusted_app.te
index 9be39da..0af8642 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -80,6 +80,8 @@
allow untrusted_app drmserver_service:service_manager find;
allow untrusted_app healthd_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;
+allow untrusted_app mediaextractor_service:service_manager find;
+allow untrusted_app mediaextractor_service:service_manager find;
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
diff --git a/zygote.te b/zygote.te
index 30ac4ed..f3a8853 100644
--- a/zygote.te
+++ b/zygote.te
@@ -11,13 +11,13 @@
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
-allow zygote appdomain:process dyntransition;
+allow zygote { appdomain autoplay_app }:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872)
-allow zygote appdomain:dir { getattr search };
-allow zygote appdomain:file { r_file_perms };
+allow zygote { appdomain autoplay_app }:dir { getattr search };
+allow zygote { appdomain autoplay_app }:file { r_file_perms };
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
+allow zygote { appdomain autoplay_app }:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
@@ -80,7 +80,7 @@
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
+neverallow zygote ~{ appdomain autoplay_app system_server }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {