1 # mediadrmserver - mediadrm daemon 2 type mediadrmserver, domain; 3 type mediadrmserver_exec, exec_type, file_type; 4 5 typeattribute mediadrmserver mlstrustedsubject; 6 7 net_domain(mediadrmserver) 8 binder_use(mediadrmserver) 9 binder_call(mediadrmserver, binderservicedomain) 10 binder_call(mediadrmserver, appdomain) 11 binder_service(mediadrmserver) 12 hal_client_domain(mediadrmserver, hal_drm) 13 14 add_service(mediadrmserver, mediadrmserver_service) 15 allow mediadrmserver mediaserver_service:service_manager find; 16 allow mediadrmserver mediametrics_service:service_manager find; 17 allow mediadrmserver processinfo_service:service_manager find; 18 allow mediadrmserver surfaceflinger_service:service_manager find; 19 allow mediadrmserver system_file:dir r_dir_perms; 20 21 add_service(mediadrmserver, mediacasserver_service) 22 23 binder_call(mediadrmserver, mediacodec) 24 ### 25 ### neverallow rules 26 ### 27 28 # mediadrmserver should never execute any executable without a 29 # domain transition 30 neverallow mediadrmserver { file_type fs_type }:file execute_no_trans; 31 32 # do not allow privileged socket ioctl commands 33 neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 34
