| # mediaserver - multimedia daemon |
| type mediaserver, domain; |
| type mediaserver_exec, exec_type, file_type; |
| |
| typeattribute mediaserver mlstrustedsubject; |
| |
| net_domain(mediaserver) |
| init_daemon_domain(mediaserver) |
| unix_socket_connect(mediaserver, property, init) |
| |
| r_dir_file(mediaserver, sdcard_type) |
| |
| binder_use(mediaserver) |
| binder_call(mediaserver, binderservicedomain) |
| binder_call(mediaserver, appdomain) |
| binder_service(mediaserver) |
| |
| allow mediaserver kernel:system module_request; |
| allow mediaserver app_data_file:dir search; |
| allow mediaserver app_data_file:file rw_file_perms; |
| allow mediaserver platform_app_data_file:file { getattr read }; |
| allow mediaserver sdcard_type:file write; |
| allow mediaserver camera_device:chr_file rw_file_perms; |
| allow mediaserver graphics_device:chr_file rw_file_perms; |
| allow mediaserver video_device:chr_file rw_file_perms; |
| allow mediaserver audio_device:dir r_dir_perms; |
| allow mediaserver audio_device:chr_file rw_file_perms; |
| allow mediaserver qemu_device:chr_file rw_file_perms; |
| allow mediaserver tee_device:chr_file rw_file_perms; |
| allow mediaserver audio_prop:property_service set; |
| |
| # XXX Label with a specific type? |
| allow mediaserver sysfs:file rw_file_perms; |
| |
| # XXX Why? |
| allow mediaserver apk_data_file:file { read getattr }; |
| |
| # To use remote processor |
| allow mediaserver rpmsg_device:chr_file rw_file_perms; |
| |
| # Inter System processes communicate over named pipe (FIFO) |
| allow mediaserver system:fifo_file r_file_perms; |
| |
| # Camera calibration |
| allow mediaserver camera_calibration_file:dir r_dir_perms; |
| allow mediaserver camera_calibration_file:file r_file_perms; |
| |
| # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid |
| allow mediaserver qtaguid_proc:file rw_file_perms; |
| allow mediaserver qtaguid_device:chr_file r_file_perms; |
| |
| # Allow abstract socket connection |
| allow mediaserver rild:unix_stream_socket { connectto read write setopt }; |