| # mediametrics - daemon for collecting media.metrics data |
| type mediametrics, domain; |
| type mediametrics_exec, system_file_type, exec_type, file_type; |
| |
| |
| binder_use(mediametrics) |
| binder_call(mediametrics, binderservicedomain) |
| binder_service(mediametrics) |
| |
| add_service(mediametrics, mediametrics_service) |
| |
| allow mediametrics system_server:fd use; |
| |
| r_dir_file(mediametrics, cgroup) |
| allow mediametrics proc_meminfo:file r_file_perms; |
| |
| # allows interactions with dumpsys to GMScore |
| allow mediametrics { app_data_file privapp_data_file }:file write; |
| |
| # allow access to package manager for uid->apk mapping |
| allow mediametrics package_native_service:service_manager find; |
| |
| # Allow metrics service to send information to statsd socket. |
| unix_socket_send(mediametrics, statsdw, statsd) |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # mediametrics should never execute any executable without a |
| # domain transition |
| neverallow mediametrics { file_type fs_type }:file execute_no_trans; |
| |
| # The goal of the mediaserver split is to place media processing code into |
| # restrictive sandboxes with limited responsibilities and thus limited |
| # permissions. Example: Audioserver is only responsible for controlling audio |
| # hardware and processing audio content. Cameraserver does the same for camera |
| # hardware/content. Etc. |
| # |
| # Media processing code is inherently risky and thus should have limited |
| # permissions and be isolated from the rest of the system and network. |
| # Lengthier explanation here: |
| # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html |
| neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *; |