Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / refs/heads/android-16 / . / private / mediaswcodec.te
blob: c96c9dd709d83ee8cf11e7e49e8383414cf592e2 [file] [log] [blame]
Chong Zhangbdbfff12018-09-20 12:07:44 -0700[diff] [blame]1typeattribute mediaswcodec coredomain;
2
3init_daemon_domain(mediaswcodec)
4
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]5get_prop(mediaswcodec, device_config_media_native_prop)
Nick Chalko81a4dd42021-02-11 09:12:51 -0800[diff] [blame]6get_prop(mediaswcodec, device_config_swcodec_native_prop)
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]7
8hal_server_domain(mediaswcodec, hal_codec2)
9
10# mediaswcodec may use an input surface from a different Codec2 service or an
11# OMX service
12hal_client_domain(mediaswcodec, hal_codec2)
13hal_client_domain(mediaswcodec, hal_omx)
14
15hal_client_domain(mediaswcodec, hal_allocator)
16hal_client_domain(mediaswcodec, hal_graphics_allocator)
17
18# get aac_drc_* properties
19get_prop(mediaswcodec, aac_drc_prop)
20
21crash_dump_fallback(mediaswcodec)
22
23allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
24allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
25allow mediaswcodec gpu_device:chr_file rw_file_perms;
26allow mediaswcodec gpu_device:dir r_dir_perms;
27
28###
29### Neverallow rules
30###
31
32# mediaswcodec_server should never execute any executable without a
33# domain transition
34neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
35
36# Media processing code is inherently risky and thus should have limited
37# permissions and be isolated from the rest of the system and network.
38# Lengthier explanation here:
39# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
40neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
41neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;