1*e4a36f41SAndroid Build Coastguard Worker### 2*e4a36f41SAndroid Build Coastguard Worker### A domain for further sandboxing the MediaProvider mainline module. 3*e4a36f41SAndroid Build Coastguard Worker### 4*e4a36f41SAndroid Build Coastguard Workertype mediaprovider_app, domain, coredomain, bpfdomain; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Workerapp_domain(mediaprovider_app) 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker# Access to /mnt/pass_through. 9*e4a36f41SAndroid Build Coastguard Workerr_dir_file(mediaprovider_app, mnt_pass_through_file) 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# Allow MediaProvider to host a FUSE daemon for external storage 12*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app fuse_device:chr_file { read write ioctl getattr }; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# Allow MediaProvider to access fuseblk devices for external storage. 15*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app fuseblk:dir create_dir_perms; 16*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app fuseblk:file create_file_perms; 17*e4a36f41SAndroid Build Coastguard Worker 18*e4a36f41SAndroid Build Coastguard Worker# Allow MediaProvider to read/write media_rw_data_file files and dirs 19*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app media_userdir_file:dir r_dir_perms; 20*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app media_rw_data_file:file create_file_perms; 21*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app media_rw_data_file:dir create_dir_perms; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker# Talk to the DRM service 24*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app drmserver_service:service_manager find; 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Worker# Talk to the MediaServer service 27*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app mediaserver_service:service_manager find; 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker# Talk to the AudioServer service 30*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app audioserver_service:service_manager find; 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Worker# Talk to the MediaCodec APIs that log media metrics 33*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app mediametrics_service:service_manager find; 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Talk to regular app services 36*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app app_api_service:service_manager find; 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# Talk to the GPU service 39*e4a36f41SAndroid Build Coastguard Workerbinder_call(mediaprovider_app, gpuservice) 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker# Talk to statsd 42*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app statsmanager_service:service_manager find; 43*e4a36f41SAndroid Build Coastguard Workerbinder_call(mediaprovider_app, statsd) 44*e4a36f41SAndroid Build Coastguard Worker 45*e4a36f41SAndroid Build Coastguard Worker# read pipe-max-size configuration 46*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app proc_pipe_conf:file r_file_perms; 47*e4a36f41SAndroid Build Coastguard Worker 48*e4a36f41SAndroid Build Coastguard Worker# Allow MediaProvider to set extended attributes (such as quota project ID) 49*e4a36f41SAndroid Build Coastguard Worker# on media files. 50*e4a36f41SAndroid Build Coastguard Workerallowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl { 51*e4a36f41SAndroid Build Coastguard Worker FS_IOC_FSGETXATTR 52*e4a36f41SAndroid Build Coastguard Worker FS_IOC_FSSETXATTR 53*e4a36f41SAndroid Build Coastguard Worker FS_IOC_GETFLAGS 54*e4a36f41SAndroid Build Coastguard Worker FS_IOC_SETFLAGS 55*e4a36f41SAndroid Build Coastguard Worker}; 56*e4a36f41SAndroid Build Coastguard Worker 57*e4a36f41SAndroid Build Coastguard Worker# Access external sdcards through /mnt/media_rw 58*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app { mnt_media_rw_file }:dir search; 59*e4a36f41SAndroid Build Coastguard Worker 60*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app proc_filesystems:file r_file_perms; 61*e4a36f41SAndroid Build Coastguard Worker 62*e4a36f41SAndroid Build Coastguard Worker#Allow MediaProvider to see if sdcardfs is in use 63*e4a36f41SAndroid Build Coastguard Workerget_prop(mediaprovider_app, storage_config_prop) 64*e4a36f41SAndroid Build Coastguard Worker 65*e4a36f41SAndroid Build Coastguard Workerget_prop(mediaprovider_app, drm_service_config_prop) 66*e4a36f41SAndroid Build Coastguard Worker 67*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app gpu_device:chr_file rw_file_perms; 68*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app gpu_device:dir r_dir_perms; 69*e4a36f41SAndroid Build Coastguard Worker 70*e4a36f41SAndroid Build Coastguard Workerdontaudit mediaprovider_app sysfs_vendor_sched:dir search; 71*e4a36f41SAndroid Build Coastguard Workerdontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms; 72*e4a36f41SAndroid Build Coastguard Worker 73*e4a36f41SAndroid Build Coastguard Worker# bpfprog access for FUSE BPF 74*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app fs_bpf:file read; 75*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app bpfloader:bpf { map_read map_write prog_run }; 76*e4a36f41SAndroid Build Coastguard Worker 77*e4a36f41SAndroid Build Coastguard Worker# boot animations on oem are stored with specific label 78*e4a36f41SAndroid Build Coastguard Workerallow mediaprovider_app bootanim_oem_file:file r_file_perms; 79