platform_system_sepolicy/private/mediaprovider_app.te

46 lines
1.4 KiB
Text
Raw Normal View History

###
### A domain for further sandboxing the MediaProvider mainline module.
###
type mediaprovider_app, domain, coredomain;
app_domain(mediaprovider_app)
# Access to /mnt/pass_through.
allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
# Allow MediaProvider to read/write media_rw_data_file files and dirs
allow mediaprovider_app media_rw_data_file:file create_file_perms;
allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
# Talk to the DRM service
allow mediaprovider_app drmserver_service:service_manager find;
# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
# Allow MediaProvider to set extended attributes (such as quota project ID)
# on media files.
allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
};
# Access external sdcards through /mnt/media_rw
allow mediaprovider_app { mnt_media_rw_file }:dir search;
allow mediaprovider_app proc_filesystems:file r_file_perms;