Skip to content
Snippets Groups Projects
Normal view Permalink
mediacodec.te 967 B
Newer Older
  • Learn to ignore specific revisions
    • Marco Nelissen's avatar
    selinux rules for codec process
    Marco Nelissen committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 
    # mediacodec - audio and video codecs live here
type mediacodec, domain;
type mediacodec_exec, exec_type, file_type;

typeattribute mediacodec mlstrustedsubject;

init_daemon_domain(mediacodec)

binder_use(mediacodec)
binder_call(mediacodec, binderservicedomain)
binder_call(mediacodec, appdomain)
binder_service(mediacodec)

allow mediacodec mediacodec_service:service_manager add;
    Marco Nelissen's avatar
    mediacodec: grant access to surfaceflinger  
    Marco Nelissen committed
    15 
    allow mediacodec surfaceflinger_service:service_manager find;
    Marco Nelissen's avatar
    selinux rules for codec process
    Marco Nelissen committed
    16 17 
    allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
    Robb Glasser's avatar
    elinux: Update access rules for codec process  
    Robb Glasser committed
    18 
    allow mediacodec video_device:dir search;
    Marco Nelissen's avatar
    Add missing selinux permissions for mediacodec  
    Marco Nelissen committed
    19 
    allow mediacodec ion_device:chr_file rw_file_perms;
    Marco Nelissen's avatar
    selinux rules for codec process
    Marco Nelissen committed
    20 21 22 23 24 25 26 27 28 
    
###
### neverallow rules
###

# mediacodec should never execute any executable without a
# domain transition
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
    Jeff Vander Stoep's avatar
    buildtime/cts enforce no inet access for media domains  
    Jeff Vander Stoep committed
    29 30 
    # mediacodec should never need network access. Disallow network sockets.
neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;