-
Nick Kralevich authored
When playing protected content on manta, surfaceflinger would crash. STEPS TO REPRODUCE: 1. Launch Play Movies & TV 2. Play any movie and observe OBSERVED RESULTS: Device reboot while playing movies EXPECTED RESULTS: No device reboot Even though this only reproduces on manta, this seems appropriate for a general policy. Addresses the following denials: <5>[ 36.066819] type=1400 audit(1389141624.471:9): avc: denied { write } for pid=1855 comm="TimedEventQueue" name="tlcd_sock" dev="mmcblk0p9" ino=627097 scontext=u:r:mediaserver:s0 tcontext=u:object_r:drmserver_socket:s0 tclass=sock_file <5>[ 36.066985] type=1400 audit(1389141624.471:10): avc: denied { connectto } for pid=1855 comm="TimedEventQueue" path="/data/app/tlcd_sock" scontext=u:r:mediaserver:s0 tcontext=u:r:drmserver:s0 tclass=unix_stream_socket <5>[ 41.379708] type=1400 audit(1389141629.786:15): avc: denied { connectto } for pid=120 comm="surfaceflinger" path=006D636461656D6F6E scontext=u:r:surfaceflinger:s0 tcontext=u:r:tee:s0 tclass=unix_stream_socket <5>[ 41.380051] type=1400 audit(1389141629.786:16): avc: denied { read write } for pid=120 comm="surfaceflinger" name="mobicore-user" dev="tmpfs" ino=4117 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file <5>[ 41.380209] type=1400 audit(1389141629.786:17): avc: denied { open } for pid=120 comm="surfaceflinger" name="mobicore-user" dev="tmpfs" ino=4117 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file <5>[ 41.380779] type=1400 audit(1389141629.786:18): avc: denied { ioctl } for pid=120 comm="surfaceflinger" path="/dev/mobicore-user" dev="tmpfs" ino=4117 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file Change-Id: I20286ec2a6cf0d190a84ad74e88e94468bab9fdb Bug: 12434847e45603d3
mediaserver.te 2.38 KiB
# mediaserver - multimedia daemon
type mediaserver, domain;
permissive mediaserver;
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
net_domain(mediaserver)
init_daemon_domain(mediaserver)
unix_socket_connect(mediaserver, property, init)
r_dir_file(mediaserver, sdcard_type)
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, appdomain)
binder_service(mediaserver)
allow mediaserver self:process execmem;
allow mediaserver kernel:system module_request;
allow mediaserver media_data_file:dir rw_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
allow mediaserver app_data_file:dir search;
allow mediaserver app_data_file:file rw_file_perms;
allow mediaserver platform_app_data_file:file { getattr read };
allow mediaserver sdcard_type:file write;
allow mediaserver graphics_device:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
allow mediaserver audio_device:dir r_dir_perms;
allow mediaserver qemu_device:chr_file rw_file_perms;
allow mediaserver tee_device:chr_file rw_file_perms;
allow mediaserver audio_prop:property_service set;
# Access audio devices at all.
allow mediaserver audio_device:chr_file rw_file_perms;
# XXX Label with a specific type?
allow mediaserver sysfs:file rw_file_perms;
# XXX Why?
allow mediaserver { apk_data_file asec_apk_file }:file { read getattr };
# Access camera device.
allow mediaserver camera_device:chr_file rw_file_perms;
allow mediaserver rpmsg_device:chr_file rw_file_perms;
# Inter System processes communicate over named pipe (FIFO)
allow mediaserver system_server:fifo_file r_file_perms;
# Camera data
r_dir_file(mediaserver, camera_data_file)
r_dir_file(mediaserver, media_rw_data_file)
# Grant access to audio files to mediaserver
allow mediaserver audio_data_file:dir ra_dir_perms;
allow mediaserver audio_data_file:file create_file_perms;
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
# Allow abstract socket connection
allow mediaserver rild:unix_stream_socket { connectto read write setopt };
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(mediaserver, drmserver, drmserver)