8b22f85d91
No "granted" messages for the removed permissions observed in three months of log audits. Bug: 28760354 Change-Id: I46b6b79b3a13108020114f3c3555adeac021b0a9
30 lines
883 B
Text
30 lines
883 B
Text
# mediaextractor - multimedia daemon
|
|
type mediaextractor, domain;
|
|
type mediaextractor_exec, exec_type, file_type;
|
|
|
|
typeattribute mediaextractor mlstrustedsubject;
|
|
|
|
init_daemon_domain(mediaextractor)
|
|
|
|
binder_use(mediaextractor)
|
|
binder_call(mediaextractor, binderservicedomain)
|
|
binder_call(mediaextractor, appdomain)
|
|
binder_service(mediaextractor)
|
|
|
|
allow mediaextractor mediaextractor_service:service_manager add;
|
|
|
|
allow mediaextractor system_server:fd use;
|
|
|
|
r_dir_file(mediaextractor, cgroup)
|
|
allow mediaextractor proc_meminfo:file r_file_perms;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# mediaextractor should never execute any executable without a
|
|
# domain transition
|
|
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
|
|
|
|
# mediaextractor should never need network access. Disallow network sockets.
|
|
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
|