| Ray Essick | 090f4a4 | 2016-12-02 11:26:54 -0800 | [diff] [blame] | 1 | # mediaanalytics - daemon for collecting media analytics data |
| 2 | type mediaanalytics, domain; |
| 3 | type mediaanalytics_exec, exec_type, file_type; |
| 4 | |
| 5 | |
| 6 | binder_use(mediaanalytics) |
| 7 | binder_call(mediaanalytics, binderservicedomain) |
| 8 | binder_service(mediaanalytics) |
| 9 | |
| 10 | allow mediaanalytics mediaanalytics_service:service_manager add; |
| 11 | |
| 12 | allow mediaanalytics system_server:fd use; |
| 13 | |
| 14 | r_dir_file(mediaanalytics, cgroup) |
| 15 | allow mediaanalytics proc_meminfo:file r_file_perms; |
| 16 | |
| 17 | ### |
| 18 | ### neverallow rules |
| 19 | ### |
| 20 | |
| 21 | # mediaanalytics should never execute any executable without a |
| 22 | # domain transition |
| 23 | neverallow mediaanalytics { file_type fs_type }:file execute_no_trans; |
| 24 | |
| 25 | # mediaanalytics should never need network access. Disallow network sockets. |
| 26 | neverallow mediaanalytics domain:{ tcp_socket udp_socket rawip_socket } *; |