1# mediaextractor - multimedia daemon 2type mediaextractor, domain; 3type mediaextractor_exec, exec_type, file_type; 4 5typeattribute mediaextractor mlstrustedsubject; 6 7binder_use(mediaextractor) 8binder_call(mediaextractor, binderservicedomain) 9binder_call(mediaextractor, appdomain) 10binder_service(mediaextractor) 11 12add_service(mediaextractor, mediaextractor_service) 13allow mediaextractor mediametrics_service:service_manager find; 14allow mediaextractor mediacasserver_service:service_manager find; 15 16allow mediaextractor system_server:fd use; 17 18r_dir_file(mediaextractor, cgroup) 19allow mediaextractor proc_meminfo:file r_file_perms; 20 21crash_dump_fallback(mediaextractor) 22 23# allow mediaextractor read permissions for file sources 24allow mediaextractor media_rw_data_file:file { getattr read }; 25allow mediaextractor app_data_file:file { getattr read }; 26 27# Read resources from open apk files passed over Binder 28allow mediaextractor apk_data_file:file { read getattr }; 29allow mediaextractor asec_apk_file:file { read getattr }; 30allow mediaextractor ringtone_file:file { read getattr }; 31 32### 33### neverallow rules 34### 35 36# mediaextractor should never execute any executable without a 37# domain transition 38neverallow mediaextractor { file_type fs_type }:file execute_no_trans; 39 40# The goal of the mediaserver split is to place media processing code into 41# restrictive sandboxes with limited responsibilities and thus limited 42# permissions. Example: Audioserver is only responsible for controlling audio 43# hardware and processing audio content. Cameraserver does the same for camera 44# hardware/content. Etc. 45# 46# Media processing code is inherently risky and thus should have limited 47# permissions and be isolated from the rest of the system and network. 48# Lengthier explanation here: 49# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html 50neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *; 51