platform_system_sepolicy/public/mediaextractor.te

# mediaextractor - multimedia daemon
type mediaextractor, domain;
type mediaextractor_exec, exec_type, file_type;

typeattribute mediaextractor mlstrustedsubject;

binder_use(mediaextractor)
binder_call(mediaextractor, binderservicedomain)
binder_call(mediaextractor, appdomain)
binder_service(mediaextractor)

add_service(mediaextractor, mediaextractor_service)
allow mediaextractor mediametrics_service:service_manager find;

allow mediaextractor system_server:fd use;

r_dir_file(mediaextractor, cgroup)
allow mediaextractor proc_meminfo:file r_file_perms;

###
### neverallow rules
###

# mediaextractor should never execute any executable without a
# domain transition
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;

# mediaextractor should never need network access. Disallow network sockets.
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;