1typeattribute mediametrics coredomain; 2 3init_daemon_domain(mediametrics) 4 5# Needed for stats callback registration to statsd. 6allow mediametrics stats_service:service_manager find; 7allow mediametrics statsmanager_service:service_manager find; 8binder_call(mediametrics, statsd) 9 10binder_use(mediametrics) 11binder_call(mediametrics, binderservicedomain) 12binder_service(mediametrics) 13 14add_service(mediametrics, mediametrics_service) 15 16allow mediametrics system_server:fd use; 17 18r_dir_file(mediametrics, cgroup) 19r_dir_file(mediametrics, cgroup_v2) 20allow mediametrics proc_meminfo:file r_file_perms; 21 22# allows interactions with dumpsys to GMScore 23allow mediametrics { app_data_file privapp_data_file }:file write; 24 25# allow access to package manager for uid->apk mapping 26allow mediametrics package_native_service:service_manager find; 27 28# Allow metrics service to send information to statsd socket. 29unix_socket_send(mediametrics, statsdw, statsd) 30 31### 32### neverallow rules 33### 34 35# mediametrics should never execute any executable without a 36# domain transition 37neverallow mediametrics { file_type fs_type }:file execute_no_trans; 38 39# The goal of the mediaserver split is to place media processing code into 40# restrictive sandboxes with limited responsibilities and thus limited 41# permissions. Example: Audioserver is only responsible for controlling audio 42# hardware and processing audio content. Cameraserver does the same for camera 43# hardware/content. Etc. 44# 45# Media processing code is inherently risky and thus should have limited 46# permissions and be isolated from the rest of the system and network. 47# Lengthier explanation here: 48# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html 49neverallow mediametrics domain:{ udp_socket rawip_socket } *; 50neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *; 51