selinux rules for codec process
Bug: 22775369
Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b
diff --git a/mediacodec.te b/mediacodec.te
new file mode 100644
index 0000000..cf2047c
--- /dev/null
+++ b/mediacodec.te
@@ -0,0 +1,29 @@
+# mediacodec - audio and video codecs live here
+type mediacodec, domain;
+type mediacodec_exec, exec_type, file_type;
+
+typeattribute mediacodec mlstrustedsubject;
+
+init_daemon_domain(mediacodec)
+
+binder_use(mediacodec)
+binder_call(mediacodec, binderservicedomain)
+binder_call(mediacodec, appdomain)
+binder_service(mediacodec)
+
+allow mediacodec mediacodec_service:service_manager add;
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+allow mediacodec ion_device:chr_file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# mediacodec should never execute any executable without a
+# domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# mediacodec should never need network access. Disallow all sockets
+# other than those needed for normal system functions
+neverallow mediacodec { domain -debuggerd -dumpstate -adbd -mediacodec -logd userdebug_or_eng(`-su')}:socket_class_set *;