platform_system_sepolicy/public/mediametrics.te

# mediametrics - daemon for collecting media.metrics data
type mediametrics, domain;
type mediametrics_exec, exec_type, file_type;


binder_use(mediametrics)
binder_call(mediametrics, binderservicedomain)
binder_service(mediametrics)

add_service(mediametrics, mediametrics_service)

allow mediametrics system_server:fd use;

r_dir_file(mediametrics, cgroup)
allow mediametrics proc_meminfo:file r_file_perms;

###
### neverallow rules
###

# mediametrics should never execute any executable without a
# domain transition
neverallow mediametrics { file_type fs_type }:file execute_no_trans;

# mediametrics should never need network access. Disallow network sockets.
neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;