Home | History | Annotate | Download | only in sepolicy 
      1 # audioserver - audio services daemon
      2 type audioserver, domain;
      3 type audioserver_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(audioserver)
      6 
      7 r_dir_file(audioserver, sdcard_type)
      8 
      9 binder_use(audioserver)
     10 binder_call(audioserver, binderservicedomain)
     11 binder_call(audioserver, { appdomain autoplay_app })
     12 binder_service(audioserver)
     13 
     14 r_dir_file(audioserver, proc)
     15 allow audioserver ion_device:chr_file r_file_perms;
     16 allow audioserver system_file:dir r_dir_perms;
     17 
     18 userdebug_or_eng(`
     19   # used for TEE sink - pcm capture for debug.
     20   allow audioserver media_data_file:dir create_dir_perms;
     21   allow audioserver audioserver_data_file:dir create_dir_perms;
     22   allow audioserver audioserver_data_file:file create_file_perms;
     23 
     24   # ptrace to processes in the same domain for memory leak detection
     25   allow audioserver self:process ptrace;
     26 ')
     27 
     28 allow audioserver audio_device:dir r_dir_perms;
     29 allow audioserver audio_device:chr_file rw_file_perms;
     30 
     31 allow audioserver audioserver_service:service_manager { add find };
     32 allow audioserver appops_service:service_manager find;
     33 allow audioserver batterystats_service:service_manager find;
     34 allow audioserver permission_service:service_manager find;
     35 allow audioserver power_service:service_manager find;
     36 allow audioserver scheduling_policy_service:service_manager find;
     37 
     38 # Grant access to audio files to audioserver
     39 allow audioserver audio_data_file:dir ra_dir_perms;
     40 allow audioserver audio_data_file:file create_file_perms;
     41 
     42 # Needed on some devices for playing audio on paired BT device,
     43 # but seems appropriate for all devices.
     44 unix_socket_connect(audioserver, bluetooth, bluetooth)
     45 
     46 ###
     47 ### neverallow rules
     48 ###
     49 
     50 # audioserver should never execute any executable without a
     51 # domain transition
     52 neverallow audioserver { file_type fs_type }:file execute_no_trans;
     53 
     54 # audioserver should never need network access. Disallow network sockets.
     55 neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
     56