1 # mediacodec - audio and video codecs live here 2 type mediacodec, domain; 3 type mediacodec_exec, exec_type, file_type; 4 5 typeattribute mediacodec mlstrustedsubject; 6 7 init_daemon_domain(mediacodec) 8 9 binder_use(mediacodec) 10 binder_call(mediacodec, binderservicedomain) 11 binder_call(mediacodec, appdomain) 12 binder_service(mediacodec) 13 14 allow mediacodec mediacodec_service:service_manager add; 15 allow mediacodec surfaceflinger_service:service_manager find; 16 allow mediacodec gpu_device:chr_file rw_file_perms; 17 allow mediacodec video_device:chr_file rw_file_perms; 18 allow mediacodec video_device:dir search; 19 allow mediacodec ion_device:chr_file rw_file_perms; 20 21 ### 22 ### neverallow rules 23 ### 24 25 # mediacodec should never execute any executable without a 26 # domain transition 27 neverallow mediacodec { file_type fs_type }:file execute_no_trans; 28 29 # mediacodec should never need network access. Disallow network sockets. 30 neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *; 31
