| Alex Klyubin | 238ce79 | 2017-02-07 10:47:18 -0800 | [diff] [blame] | 1 | # audioserver - audio services daemon |
| 2 | |
| 3 | type audioserver_exec, exec_type, file_type; |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 4 | init_daemon_domain(audioserver) |
| Alex Klyubin | 238ce79 | 2017-02-07 10:47:18 -0800 | [diff] [blame] | 5 | |
| 6 | r_dir_file(audioserver, sdcard_type) |
| 7 | |
| 8 | binder_use(audioserver) |
| 9 | binder_call(audioserver, binderservicedomain) |
| 10 | binder_call(audioserver, appdomain) |
| 11 | binder_service(audioserver) |
| 12 | |
| Alex Klyubin | ac2b4cd | 2017-02-13 14:40:49 -0800 | [diff] [blame] | 13 | hal_client_domain(audioserver, hal_audio) |
| Alex Klyubin | 238ce79 | 2017-02-07 10:47:18 -0800 | [diff] [blame] | 14 | |
| Alex Klyubin | 238ce79 | 2017-02-07 10:47:18 -0800 | [diff] [blame] | 15 | allow audioserver system_file:dir r_dir_perms; |
| 16 | |
| 17 | userdebug_or_eng(` |
| 18 | # used for TEE sink - pcm capture for debug. |
| 19 | allow audioserver media_data_file:dir create_dir_perms; |
| 20 | allow audioserver audioserver_data_file:dir create_dir_perms; |
| 21 | allow audioserver audioserver_data_file:file create_file_perms; |
| 22 | |
| 23 | # ptrace to processes in the same domain for memory leak detection |
| 24 | allow audioserver self:process ptrace; |
| 25 | ') |
| 26 | |
| Alex Klyubin | 238ce79 | 2017-02-07 10:47:18 -0800 | [diff] [blame] | 27 | add_service(audioserver, audioserver_service) |
| 28 | allow audioserver appops_service:service_manager find; |
| 29 | allow audioserver batterystats_service:service_manager find; |
| 30 | allow audioserver permission_service:service_manager find; |
| 31 | allow audioserver power_service:service_manager find; |
| 32 | allow audioserver scheduling_policy_service:service_manager find; |
| 33 | |
| 34 | # Grant access to audio files to audioserver |
| 35 | allow audioserver audio_data_file:dir ra_dir_perms; |
| 36 | allow audioserver audio_data_file:file create_file_perms; |
| 37 | |
| Alex Klyubin | 238ce79 | 2017-02-07 10:47:18 -0800 | [diff] [blame] | 38 | ### |
| 39 | ### neverallow rules |
| 40 | ### |
| 41 | |
| 42 | # audioserver should never execute any executable without a |
| 43 | # domain transition |
| 44 | neverallow audioserver { file_type fs_type }:file execute_no_trans; |
| 45 | |
| Nick Kralevich | 38c1282 | 2017-02-16 12:34:51 -0800 | [diff] [blame] | 46 | # The goal of the mediaserver split is to place media processing code into |
| 47 | # restrictive sandboxes with limited responsibilities and thus limited |
| 48 | # permissions. Example: Audioserver is only responsible for controlling audio |
| 49 | # hardware and processing audio content. Cameraserver does the same for camera |
| 50 | # hardware/content. Etc. |
| 51 | # |
| 52 | # Media processing code is inherently risky and thus should have limited |
| 53 | # permissions and be isolated from the rest of the system and network. |
| 54 | # Lengthier explanation here: |
| 55 | # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html |
| Alex Klyubin | 238ce79 | 2017-02-07 10:47:18 -0800 | [diff] [blame] | 56 | neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *; |