| Marco Nelissen | 2afb217 | 2015-12-16 15:47:57 -0800 | [diff] [blame] | 1 | # mediacodec - multimedia daemon |
| 2 | type mediacodec, domain, domain_deprecated; |
| 3 | type mediacodec_exec, exec_type, file_type; |
| 4 | |
| 5 | typeattribute mediacodec mlstrustedsubject; |
| 6 | |
| 7 | init_daemon_domain(mediacodec) |
| 8 | |
| 9 | binder_use(mediacodec) |
| 10 | binder_call(mediacodec, binderservicedomain) |
| 11 | binder_call(mediacodec, appdomain) |
| 12 | binder_service(mediacodec) |
| 13 | |
| 14 | allow mediacodec kernel:system module_request; |
| 15 | allow mediacodec gpu_device:chr_file rw_file_perms; |
| 16 | allow mediacodec video_device:dir r_dir_perms; |
| 17 | allow mediacodec video_device:chr_file rw_file_perms; |
| 18 | |
| 19 | # Needed on some devices for playing DRM protected content, |
| 20 | # but seems expected and appropriate for all devices. |
| 21 | unix_socket_connect(mediacodec, drmserver, drmserver) |
| 22 | |
| 23 | allow mediacodec drmserver_service:service_manager find; |
| 24 | allow mediacodec mediacodec_service:service_manager { add find }; |
| 25 | allow mediacodec processinfo_service:service_manager find; |
| 26 | allow mediacodec surfaceflinger_service:service_manager find; |
| 27 | |
| 28 | use_drmservice(mediacodec) |
| 29 | allow mediacodec drmserver:drmservice { |
| 30 | consumeRights |
| 31 | setPlaybackStatus |
| 32 | openDecryptSession |
| 33 | closeDecryptSession |
| 34 | initializeDecryptUnit |
| 35 | decrypt |
| 36 | finalizeDecryptUnit |
| 37 | pread |
| 38 | }; |
| 39 | |
| 40 | ### |
| 41 | ### neverallow rules |
| 42 | ### |
| 43 | |
| 44 | # mediacodec should never execute any executable without a |
| 45 | # domain transition |
| 46 | neverallow mediacodec { file_type fs_type }:file execute_no_trans; |