1# mediaextractor - multimedia daemon
2type mediaextractor, domain;
3type mediaextractor_exec, system_file_type, exec_type, file_type;
4type mediaextractor_tmpfs, file_type;
5
6typeattribute mediaextractor mlstrustedsubject;
7
8binder_use(mediaextractor)
9binder_call(mediaextractor, binderservicedomain)
10binder_call(mediaextractor, appdomain)
11binder_service(mediaextractor)
12
13add_service(mediaextractor, mediaextractor_service)
14allow mediaextractor mediametrics_service:service_manager find;
15allow mediaextractor hidl_token_hwservice:hwservice_manager find;
16
17allow mediaextractor system_server:fd use;
18
19hal_client_domain(mediaextractor, hal_cas)
20hal_client_domain(mediaextractor, hal_allocator)
21
22r_dir_file(mediaextractor, cgroup)
23allow mediaextractor proc_meminfo:file r_file_perms;
24
25crash_dump_fallback(mediaextractor)
26
27# allow mediaextractor read permissions for file sources
28allow mediaextractor sdcard_type:file { getattr read };
29allow mediaextractor media_rw_data_file:file { getattr read };
30allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
31
32# Read resources from open apk files passed over Binder
33allow mediaextractor apk_data_file:file { read getattr };
34allow mediaextractor asec_apk_file:file { read getattr };
35allow mediaextractor ringtone_file:file { read getattr };
36
37# scan extractor library directory to dynamically load extractors
38allow mediaextractor system_file:dir { read open };
39
40get_prop(mediaextractor, device_config_media_native_prop)
41
42###
43### neverallow rules
44###
45
46# mediaextractor should never execute any executable without a
47# domain transition
48neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
49
50# The goal of the mediaserver split is to place media processing code into
51# restrictive sandboxes with limited responsibilities and thus limited
52# permissions. Example: Audioserver is only responsible for controlling audio
53# hardware and processing audio content. Cameraserver does the same for camera
54# hardware/content. Etc.
55#
56# Media processing code is inherently risky and thus should have limited
57# permissions and be isolated from the rest of the system and network.
58# Lengthier explanation here:
59# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
60neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
61
62# mediaextractor should not be opening /data files directly. Any files
63# it touches (with a few exceptions) need to be passed to it via a file
64# descriptor opened outside the process.
65neverallow mediaextractor {
66  data_file_type
67  -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
68  userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
69  with_native_coverage(`-method_trace_data_file')
70}:file open;
71