1typeattribute mediaextractor coredomain; 2 3init_daemon_domain(mediaextractor) 4tmpfs_domain(mediaextractor) 5allow mediaextractor appdomain_tmpfs:file { getattr map read write }; 6allow mediaextractor mediaserver_tmpfs:file { getattr map read write }; 7allow mediaextractor system_server_tmpfs:file { getattr map read write }; 8 9get_prop(mediaextractor, device_config_media_native_prop) 10get_prop(mediaextractor, device_config_swcodec_native_prop) 11 12typeattribute mediaextractor mlstrustedsubject; 13 14binder_use(mediaextractor) 15binder_call(mediaextractor, binderservicedomain) 16binder_call(mediaextractor, appdomain) 17binder_service(mediaextractor) 18 19add_service(mediaextractor, mediaextractor_service) 20allow mediaextractor mediametrics_service:service_manager find; 21allow mediaextractor hidl_token_hwservice:hwservice_manager find; 22 23allow mediaextractor system_server:fd use; 24 25hal_client_domain(mediaextractor, hal_cas) 26hal_client_domain(mediaextractor, hal_allocator) 27 28r_dir_file(mediaextractor, cgroup) 29r_dir_file(mediaextractor, cgroup_v2) 30allow mediaextractor proc_meminfo:file r_file_perms; 31 32crash_dump_fallback(mediaextractor) 33 34# allow mediaextractor read permissions for file sources 35allow mediaextractor { sdcard_type fuse }:file { getattr read }; 36allow mediaextractor media_rw_data_file:file { getattr read }; 37allow mediaextractor { app_data_file privapp_data_file }:file { getattr read }; 38 39# Read resources from open apk files passed over Binder 40allow mediaextractor apk_data_file:file { read getattr }; 41allow mediaextractor asec_apk_file:file { read getattr }; 42allow mediaextractor ringtone_file:file { read getattr }; 43 44# overlay package access 45allow mediaextractor vendor_overlay_file:file { read map }; 46 47# scan extractor library directory to dynamically load extractors 48allow mediaextractor system_file:dir { read open }; 49 50### 51### neverallow rules 52### 53 54# mediaextractor should never execute any executable without a 55# domain transition 56neverallow mediaextractor { file_type fs_type }:file execute_no_trans; 57 58# The goal of the mediaserver split is to place media processing code into 59# restrictive sandboxes with limited responsibilities and thus limited 60# permissions. Example: Audioserver is only responsible for controlling audio 61# hardware and processing audio content. Cameraserver does the same for camera 62# hardware/content. Etc. 63# 64# Media processing code is inherently risky and thus should have limited 65# permissions and be isolated from the rest of the system and network. 66# Lengthier explanation here: 67# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html 68neverallow mediaextractor domain:{ udp_socket rawip_socket } *; 69neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *; 70 71# mediaextractor should not be opening /data files directly. Any files 72# it touches (with a few exceptions) need to be passed to it via a file 73# descriptor opened outside the process. 74neverallow mediaextractor { 75 data_file_type 76 userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins 77 with_native_coverage(`-method_trace_data_file') 78}:file open; 79