Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
AndroidSystemSEPolicy
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Container Registry
Model registry
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Werner Sembach
AndroidSystemSEPolicy
Commits
067ffcc1
Commit
067ffcc1
authored
11 years ago
by
Nick Kralevich
Committed by
Gerrit Code Review
11 years ago
Browse files
Options
Downloads
Plain Diff
Merge "Confine mediaserver, but leave it permissive for now."
parents
73c5ea72
af9238c9
No related branches found
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
mediaserver.te
+51
-1
51 additions, 1 deletion
mediaserver.te
with
51 additions
and
1 deletion
mediaserver.te
+
51
−
1
View file @
067ffcc1
# mediaserver - multimedia daemon
type mediaserver, domain;
permissive mediaserver;
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
net_domain(mediaserver)
init_daemon_domain(mediaserver)
unconfined_domain(mediaserver)
unix_socket_connect(mediaserver, property, init)
r_dir_file(mediaserver, sdcard_type)
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, appdomain)
binder_service(mediaserver)
allow mediaserver self:process execmem;
allow mediaserver kernel:system module_request;
allow mediaserver app_data_file:dir search;
allow mediaserver app_data_file:file rw_file_perms;
allow mediaserver platform_app_data_file:file { getattr read };
allow mediaserver sdcard_type:file write;
allow mediaserver graphics_device:chr_file rw_file_perms;
allow mediaserver video_device:chr_file rw_file_perms;
allow mediaserver audio_device:dir r_dir_perms;
allow mediaserver qemu_device:chr_file rw_file_perms;
allow mediaserver tee_device:chr_file rw_file_perms;
allow mediaserver audio_prop:property_service set;
# Access audio devices at all.
allow mediaserver audio_device:chr_file rw_file_perms;
# XXX Label with a specific type?
allow mediaserver sysfs:file rw_file_perms;
# XXX Why?
allow mediaserver { apk_data_file asec_apk_file }:file { read getattr };
# Access camera device.
allow mediaserver camera_device:chr_file rw_file_perms;
allow mediaserver rpmsg_device:chr_file rw_file_perms;
# Inter System processes communicate over named pipe (FIFO)
allow mediaserver system_server:fifo_file r_file_perms;
# Camera calibration
allow mediaserver camera_calibration_file:dir r_dir_perms;
allow mediaserver camera_calibration_file:file r_file_perms;
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
# Allow abstract socket connection
allow mediaserver rild:unix_stream_socket { connectto read write setopt };
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
