1# mediadrmserver - mediadrm daemon 2type mediadrmserver, domain; 3type mediadrmserver_exec, exec_type, file_type; 4 5typeattribute mediadrmserver mlstrustedsubject; 6 7net_domain(mediadrmserver) 8binder_use(mediadrmserver) 9binder_call(mediadrmserver, binderservicedomain) 10binder_call(mediadrmserver, appdomain) 11binder_service(mediadrmserver) 12hal_client_domain(mediadrmserver, hal_drm) 13 14add_service(mediadrmserver, mediadrmserver_service) 15allow mediadrmserver mediaserver_service:service_manager find; 16allow mediadrmserver mediametrics_service:service_manager find; 17allow mediadrmserver processinfo_service:service_manager find; 18allow mediadrmserver surfaceflinger_service:service_manager find; 19allow mediadrmserver system_file:dir r_dir_perms; 20 21binder_call(mediadrmserver, mediacodec) 22### 23### neverallow rules 24### 25 26# mediadrmserver should never execute any executable without a 27# domain transition 28neverallow mediadrmserver { file_type fs_type }:file execute_no_trans; 29 30# do not allow privileged socket ioctl commands 31neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 32