1 # mediametrics - daemon for collecting media.metrics data 2 type mediametrics, domain; 3 type mediametrics_exec, exec_type, file_type; 4 5 6 binder_use(mediametrics) 7 binder_call(mediametrics, binderservicedomain) 8 binder_service(mediametrics) 9 10 add_service(mediametrics, mediametrics_service) 11 12 allow mediametrics system_server:fd use; 13 14 r_dir_file(mediametrics, cgroup) 15 allow mediametrics proc_meminfo:file r_file_perms; 16 17 # allows interactions with dumpsys to GMScore 18 allow mediametrics app_data_file:file write; 19 20 ### 21 ### neverallow rules 22 ### 23 24 # mediametrics should never execute any executable without a 25 # domain transition 26 neverallow mediametrics { file_type fs_type }:file execute_no_trans; 27 28 # The goal of the mediaserver split is to place media processing code into 29 # restrictive sandboxes with limited responsibilities and thus limited 30 # permissions. Example: Audioserver is only responsible for controlling audio 31 # hardware and processing audio content. Cameraserver does the same for camera 32 # hardware/content. Etc. 33 # 34 # Media processing code is inherently risky and thus should have limited 35 # permissions and be isolated from the rest of the system and network. 36 # Lengthier explanation here: 37 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html 38 neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *; 39
