| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 1 | typeattribute mediadrmserver coredomain; |
| 2 | |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 3 | init_daemon_domain(mediadrmserver) |
| Mathias Agopian | 9901ff7 | 2017-03-29 19:08:34 -0700 | [diff] [blame] | 4 | |
| 5 | # allocate and use graphic buffers |
| 6 | hal_client_domain(mediadrmserver, hal_graphics_allocator) |
| 7 | auditallow mediadrmserver hal_graphics_allocator_server:binder call; |
| 8 | |
| Inseob Kim | 75806ef | 2024-03-27 17:18:41 +0900 | [diff] [blame^] | 9 | typeattribute mediadrmserver mlstrustedsubject; |
| 10 | |
| 11 | net_domain(mediadrmserver) |
| 12 | binder_use(mediadrmserver) |
| 13 | binder_call(mediadrmserver, binderservicedomain) |
| 14 | binder_call(mediadrmserver, appdomain) |
| 15 | binder_service(mediadrmserver) |
| 16 | hal_client_domain(mediadrmserver, hal_drm) |
| 17 | |
| 18 | add_service(mediadrmserver, mediadrmserver_service) |
| 19 | allow mediadrmserver mediaserver_service:service_manager find; |
| 20 | allow mediadrmserver mediametrics_service:service_manager find; |
| 21 | allow mediadrmserver processinfo_service:service_manager find; |
| 22 | allow mediadrmserver surfaceflinger_service:service_manager find; |
| 23 | allow mediadrmserver system_file:dir r_dir_perms; |
| 24 | |
| 25 | # TODO(b/80317992): remove |
| 26 | binder_call(mediadrmserver, hal_omx_server) |
| 27 | |
| 28 | ### |
| 29 | ### neverallow rules |
| 30 | ### |
| 31 | |
| 32 | # mediadrmserver should never execute any executable without a |
| 33 | # domain transition |
| 34 | neverallow mediadrmserver { file_type fs_type }:file execute_no_trans; |
| 35 | |
| 36 | # do not allow privileged socket ioctl commands |
| 37 | neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; |