# mediaanalytics - daemon for collecting media analytics data
type mediaanalytics, domain;
type mediaanalytics_exec, exec_type, file_type;


binder_use(mediaanalytics)
binder_call(mediaanalytics, binderservicedomain)
binder_service(mediaanalytics)

allow mediaanalytics mediaanalytics_service:service_manager add;

allow mediaanalytics system_server:fd use;

r_dir_file(mediaanalytics, cgroup)
allow mediaanalytics proc_meminfo:file r_file_perms;

###
### neverallow rules
###

# mediaanalytics should never execute any executable without a
# domain transition
neverallow mediaanalytics { file_type fs_type }:file execute_no_trans;

# mediaanalytics should never need network access. Disallow network sockets.
neverallow mediaanalytics domain:{ tcp_socket udp_socket rawip_socket } *;