1typeattribute mediadrmserver coredomain; 2 3init_daemon_domain(mediadrmserver) 4 5# allocate and use graphic buffers 6hal_client_domain(mediadrmserver, hal_graphics_allocator) 7auditallow mediadrmserver hal_graphics_allocator_server:binder call; 8 9typeattribute mediadrmserver mlstrustedsubject; 10 11net_domain(mediadrmserver) 12binder_use(mediadrmserver) 13binder_call(mediadrmserver, binderservicedomain) 14binder_call(mediadrmserver, appdomain) 15binder_service(mediadrmserver) 16hal_client_domain(mediadrmserver, hal_drm) 17 18add_service(mediadrmserver, mediadrmserver_service) 19allow mediadrmserver mediaserver_service:service_manager find; 20allow mediadrmserver mediametrics_service:service_manager find; 21allow mediadrmserver processinfo_service:service_manager find; 22allow mediadrmserver surfaceflinger_service:service_manager find; 23allow mediadrmserver system_file:dir r_dir_perms; 24 25# TODO(b/80317992): remove 26binder_call(mediadrmserver, hal_omx_server) 27 28### 29### neverallow rules 30### 31 32# mediadrmserver should never execute any executable without a 33# domain transition 34neverallow mediadrmserver { file_type fs_type }:file execute_no_trans; 35 36# do not allow privileged socket ioctl commands 37neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 38