commit ff43be2ca9dcc80711fc14e0bfb847951f677243
author Inseob Kim <inseob@google.com> Mon Jun 07 16:56:56 2021 +0900
committer Inseob Kim <inseob@google.com> Mon Jun 07 18:44:35 2021 +0900
tree bf5e839c17d58df2298c811dbf18624f24b48133
parent b50e0fabe77f1f16a9d1fd79cd351bef3834c77c

Add microdroid specific sepolicy

Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.

Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938

microdroid/sepolicy/system/private/mediaserver.te

diff --git a/microdroid/sepolicy/system/private/mediaserver.te b/microdroid/sepolicy/system/private/mediaserver.te
new file mode 100644
index 0000000..6fe460c
--- /dev/null
+++ b/microdroid/sepolicy/system/private/mediaserver.te
@@ -0,0 +1,20 @@
+typeattribute mediaserver coredomain;
+
+init_daemon_domain(mediaserver)
+tmpfs_domain(mediaserver)
+allow mediaserver appdomain_tmpfs:file { getattr map read write };
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
+hal_client_domain(mediaserver, hal_configstore)
+hal_client_domain(mediaserver, hal_drm)
+hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
+set_prop(mediaserver, audio_prop)
+
+get_prop(mediaserver, drm_service_config_prop)
+get_prop(mediaserver, media_config_prop)
+
+# Allow mediaserver to start media.transcoding service via ctl.start.
+set_prop(mediaserver, ctl_mediatranscoding_prop);