| # mediacodec - multimedia daemon |
| type mediacodec, domain, domain_deprecated; |
| type mediacodec_exec, exec_type, file_type; |
| |
| typeattribute mediacodec mlstrustedsubject; |
| |
| init_daemon_domain(mediacodec) |
| |
| binder_use(mediacodec) |
| binder_call(mediacodec, binderservicedomain) |
| binder_call(mediacodec, appdomain) |
| binder_service(mediacodec) |
| |
| allow mediacodec kernel:system module_request; |
| allow mediacodec gpu_device:chr_file rw_file_perms; |
| allow mediacodec video_device:dir r_dir_perms; |
| allow mediacodec video_device:chr_file rw_file_perms; |
| |
| # Needed on some devices for playing DRM protected content, |
| # but seems expected and appropriate for all devices. |
| unix_socket_connect(mediacodec, drmserver, drmserver) |
| |
| allow mediacodec drmserver_service:service_manager find; |
| allow mediacodec mediacodec_service:service_manager { add find }; |
| allow mediacodec processinfo_service:service_manager find; |
| allow mediacodec surfaceflinger_service:service_manager find; |
| |
| use_drmservice(mediacodec) |
| allow mediacodec drmserver:drmservice { |
| consumeRights |
| setPlaybackStatus |
| openDecryptSession |
| closeDecryptSession |
| initializeDecryptUnit |
| decrypt |
| finalizeDecryptUnit |
| pread |
| }; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # mediacodec should never execute any executable without a |
| # domain transition |
| neverallow mediacodec { file_type fs_type }:file execute_no_trans; |
