Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / af9238c9b801325a289b5766fc9dc7a86d4dd0f5^! / . / mediaserver.te
commitaf9238c9b801325a289b5766fc9dc7a86d4dd0f5[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Wed Oct 23 14:23:43 2013 -0400
committerStephen Smalley <sds@tycho.nsa.gov>Wed Oct 23 14:23:43 2013 -0400
tree2155b626879234dfa1f6d0fb8eb226c55f37bf8a
parent5637099a252c7ef647ca22d1d1094d67f54bb916 [diff] [blame]
Confine mediaserver, but leave it permissive for now.

Confine the mediaserver domain, restoring our rules for it,
but leave it permissive until sufficient testing has been
performed.

Change-Id: I3d10ee16f5125b11295bc40ff6f2e14080b4bd00
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/mediaserver.te b/mediaserver.te
index 1b94d86..1a065b0 100644
--- a/mediaserver.te
+++ b/mediaserver.te

@@ -1,7 +1,57 @@
 # mediaserver - multimedia daemon
 type mediaserver, domain;
+permissive mediaserver;
 type mediaserver_exec, exec_type, file_type;
 
+typeattribute mediaserver mlstrustedsubject;
+
 net_domain(mediaserver)
 init_daemon_domain(mediaserver)
-unconfined_domain(mediaserver)
+unix_socket_connect(mediaserver, property, init)
+
+r_dir_file(mediaserver, sdcard_type)
+
+binder_use(mediaserver)
+binder_call(mediaserver, binderservicedomain)
+binder_call(mediaserver, appdomain)
+binder_service(mediaserver)
+
+allow mediaserver self:process execmem;
+allow mediaserver kernel:system module_request;
+allow mediaserver app_data_file:dir search;
+allow mediaserver app_data_file:file rw_file_perms;
+allow mediaserver platform_app_data_file:file { getattr read };
+allow mediaserver sdcard_type:file write;
+allow mediaserver graphics_device:chr_file rw_file_perms;
+allow mediaserver video_device:chr_file rw_file_perms;
+allow mediaserver audio_device:dir r_dir_perms;
+allow mediaserver qemu_device:chr_file rw_file_perms;
+allow mediaserver tee_device:chr_file rw_file_perms;
+allow mediaserver audio_prop:property_service set;
+
+# Access audio devices at all.
+allow mediaserver audio_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow mediaserver sysfs:file rw_file_perms;
+
+# XXX Why?
+allow mediaserver { apk_data_file asec_apk_file }:file { read getattr };
+
+# Access camera device.
+allow mediaserver camera_device:chr_file rw_file_perms;
+allow mediaserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system_server:fifo_file r_file_perms;
+
+# Camera calibration
+allow mediaserver camera_calibration_file:dir r_dir_perms;
+allow mediaserver camera_calibration_file:file r_file_perms;
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow mediaserver qtaguid_proc:file rw_file_perms;
+allow mediaserver qtaguid_device:chr_file r_file_perms;
+
+# Allow abstract socket connection
+allow mediaserver rild:unix_stream_socket { connectto read write setopt };