1# mediaextractor - multimedia daemon 2type mediaextractor, domain; 3type mediaextractor_exec, system_file_type, exec_type, file_type; 4type mediaextractor_tmpfs, file_type; 5 6typeattribute mediaextractor mlstrustedsubject; 7 8binder_use(mediaextractor) 9binder_call(mediaextractor, binderservicedomain) 10binder_call(mediaextractor, appdomain) 11binder_service(mediaextractor) 12 13add_service(mediaextractor, mediaextractor_service) 14allow mediaextractor mediametrics_service:service_manager find; 15allow mediaextractor hidl_token_hwservice:hwservice_manager find; 16 17allow mediaextractor system_server:fd use; 18 19hal_client_domain(mediaextractor, hal_cas) 20hal_client_domain(mediaextractor, hal_allocator) 21 22r_dir_file(mediaextractor, cgroup) 23r_dir_file(mediaextractor, cgroup_v2) 24allow mediaextractor proc_meminfo:file r_file_perms; 25 26crash_dump_fallback(mediaextractor) 27 28# allow mediaextractor read permissions for file sources 29allow mediaextractor sdcard_type:file { getattr read }; 30allow mediaextractor media_rw_data_file:file { getattr read }; 31allow mediaextractor { app_data_file privapp_data_file }:file { getattr read }; 32 33# Read resources from open apk files passed over Binder 34allow mediaextractor apk_data_file:file { read getattr }; 35allow mediaextractor asec_apk_file:file { read getattr }; 36allow mediaextractor ringtone_file:file { read getattr }; 37 38# overlay package access 39allow mediaextractor vendor_overlay_file:file { read map }; 40 41# scan extractor library directory to dynamically load extractors 42allow mediaextractor system_file:dir { read open }; 43 44### 45### neverallow rules 46### 47 48# mediaextractor should never execute any executable without a 49# domain transition 50neverallow mediaextractor { file_type fs_type }:file execute_no_trans; 51 52# The goal of the mediaserver split is to place media processing code into 53# restrictive sandboxes with limited responsibilities and thus limited 54# permissions. Example: Audioserver is only responsible for controlling audio 55# hardware and processing audio content. Cameraserver does the same for camera 56# hardware/content. Etc. 57# 58# Media processing code is inherently risky and thus should have limited 59# permissions and be isolated from the rest of the system and network. 60# Lengthier explanation here: 61# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html 62neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *; 63 64# mediaextractor should not be opening /data files directly. Any files 65# it touches (with a few exceptions) need to be passed to it via a file 66# descriptor opened outside the process. 67neverallow mediaextractor { 68 data_file_type 69 -zoneinfo_data_file # time zone data from /data/misc/zoneinfo 70 userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins 71 with_native_coverage(`-method_trace_data_file') 72}:file open; 73