private/mediaswcodec.te - platform/system/sepolicy - Git at Google

 typeattribute mediaswcodec coredomain;

 init_daemon_domain(mediaswcodec)

 get_prop(mediaswcodec, device_config_media_native_prop)
 get_prop(mediaswcodec, device_config_swcodec_native_prop)

 hal_server_domain(mediaswcodec, hal_codec2)

 # mediaswcodec may use an input surface from a different Codec2 service or an
 # OMX service
 hal_client_domain(mediaswcodec, hal_codec2)
 hal_client_domain(mediaswcodec, hal_omx)

 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)

 # get aac_drc_* properties
 get_prop(mediaswcodec, aac_drc_prop)

 crash_dump_fallback(mediaswcodec)

 allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
 allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
 allow mediaswcodec gpu_device:chr_file rw_file_perms;
 allow mediaswcodec gpu_device:dir r_dir_perms;

 ###
 ### Neverallow rules
 ###

 # mediaswcodec_server should never execute any executable without a
 # domain transition
 neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;

 # Media processing code is inherently risky and thus should have limited
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
 neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
	typeattribute mediaswcodec coredomain;

	init_daemon_domain(mediaswcodec)

	get_prop(mediaswcodec, device_config_media_native_prop)
	get_prop(mediaswcodec, device_config_swcodec_native_prop)

	hal_server_domain(mediaswcodec, hal_codec2)

	# mediaswcodec may use an input surface from a different Codec2 service or an
	# OMX service
	hal_client_domain(mediaswcodec, hal_codec2)
	hal_client_domain(mediaswcodec, hal_omx)

	hal_client_domain(mediaswcodec, hal_allocator)
	hal_client_domain(mediaswcodec, hal_graphics_allocator)

	# get aac_drc_* properties
	get_prop(mediaswcodec, aac_drc_prop)

	crash_dump_fallback(mediaswcodec)

	allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
	allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
	allow mediaswcodec gpu_device:chr_file rw_file_perms;
	allow mediaswcodec gpu_device:dir r_dir_perms;

	###
	### Neverallow rules
	###

	# mediaswcodec_server should never execute any executable without a
	# domain transition
	neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;

	# Media processing code is inherently risky and thus should have limited
	# permissions and be isolated from the rest of the system and network.
	# Lengthier explanation here:
	# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
	neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
	neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;