4c06d273bc
Actually, some of policies related to qtaguid have been there already, but we refind existing ones and add new ones.
42 lines
1.5 KiB
Plaintext
42 lines
1.5 KiB
Plaintext
# mediaserver - multimedia daemon
|
|
type mediaserver, domain;
|
|
type mediaserver_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(mediaserver)
|
|
net_domain(mediaserver)
|
|
typeattribute mediaserver mlstrustedsubject;
|
|
allow mediaserver kernel:system module_request;
|
|
binder_use(mediaserver)
|
|
binder_call(mediaserver, binderservicedomain)
|
|
binder_call(mediaserver, appdomain)
|
|
binder_service(mediaserver)
|
|
allow mediaserver app_data_file:dir search;
|
|
allow mediaserver app_data_file:file { read getattr };
|
|
r_dir_file(mediaserver, sdcard)
|
|
allow mediaserver sdcard:file write;
|
|
allow mediaserver camera_device:chr_file rw_file_perms;
|
|
allow mediaserver graphics_device:chr_file rw_file_perms;
|
|
allow mediaserver video_device:chr_file rw_file_perms;
|
|
allow mediaserver audio_device:dir r_dir_perms;
|
|
allow mediaserver audio_device:chr_file rw_file_perms;
|
|
allow mediaserver qemu_device:chr_file rw_file_perms;
|
|
# XXX Label with a specific type?
|
|
allow mediaserver sysfs:file rw_file_perms;
|
|
# XXX Why?
|
|
allow mediaserver apk_data_file:file { read getattr };
|
|
allow mediaserver ion_device:chr_file rw_file_perms;
|
|
|
|
# To use remote processor
|
|
allow mediaserver rpmsg_device:chr_file rw_file_perms;
|
|
|
|
# Inter System processes communicate over named pipe (FIFO)
|
|
allow mediaserver system:fifo_file r_file_perms;
|
|
|
|
# Camera calibration
|
|
allow mediaserver camera_calibration_file:dir r_dir_perms;
|
|
allow mediaserver camera_calibration_file:file r_file_perms;
|
|
|
|
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
|
|
allow mediaserver qtaguid_proc:file rw_file_perms;
|
|
allow mediaserver qtaguid_device:chr_file r_file_perms;
|