Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / f921dd9cad64bda6433b52b8c99ea8756819ef1b / . / public / mediaprovider.te
blob: f34410bcb9cfc966d5f5ef4f699695ba08b5418f [file] [log] [blame]
Jerry Zhangf921dd92016-09-22 11:07:50 -0700[diff] [blame^]1type mediaprovider, domain;
2
3# MtpServer uses /dev/mtp_usb
4allow mediaprovider mtp_device:chr_file rw_file_perms;
5
6# MtpServer uses /dev/usb-ffs/mtp
7allow mediaprovider functionfs:dir search;
8allow mediaprovider functionfs:file rw_file_perms;
9
10# MtpServer sets sys.usb.ffs.mtp.ready
11set_prop(mediaprovider, ffs_prop)
12
13allow mediaprovider mediacodec_service:service_manager find;
14allow mediaprovider mediadrmserver_service:service_manager find;
15allow mediaprovider mediaextractor_service:service_manager find;
16allow mediaprovider mediaserver_service:service_manager find;
17allow mediaprovider app_api_service:service_manager find;
18allow mediaprovider system_api_service:service_manager find;
19
20# /sys and /proc access
21r_dir_file(mediaprovider, sysfs_type)
22r_dir_file(mediaprovider, proc)
23r_dir_file(mediaprovider, rootfs)
24
25# Access to /data/preloads
26allow mediaprovider preloads_data_file:file r_file_perms;
27
28###
29### neverallow rules (see corresponding rules in priv_app)
30###
31
32# Receive or send uevent messages.
33neverallow mediaprovider domain:netlink_kobject_uevent_socket *;
34
35# Receive or send generic netlink messages
36neverallow mediaprovider domain:netlink_socket *;
37
38# Too much leaky information in debugfs. It's a security
39# best practice to ensure these files aren't readable.
40neverallow mediaprovider debugfs:file read;
41
42# Only trusted components of Android should be registering
43# services.
44neverallow mediaprovider service_manager_type:service_manager add;
45
46# Do not allow mediaprovider to be assigned mlstrustedsubject.
47neverallow mediaprovider mlstrustedsubject:process fork;
48
49# Do not allow mediaprovider to hard link to any files.
50neverallow mediaprovider file_type:file link;