mediaserver.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # mediaserver - multimedia daemon
 type mediaserver, domain;
 permissive mediaserver;
 type mediaserver_exec, exec_type, file_type;

 typeattribute mediaserver mlstrustedsubject;

 net_domain(mediaserver)
 init_daemon_domain(mediaserver)
 unix_socket_connect(mediaserver, property, init)

 r_dir_file(mediaserver, sdcard_type)

 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
 binder_call(mediaserver, appdomain)
 binder_service(mediaserver)

 allow mediaserver self:process execmem;
 allow mediaserver kernel:system module_request;
 allow mediaserver media_data_file:dir rw_dir_perms;
 allow mediaserver media_data_file:file create_file_perms;
 allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver platform_app_data_file:file { getattr read };
 allow mediaserver sdcard_type:file write;
 allow mediaserver graphics_device:chr_file rw_file_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;
 allow mediaserver qemu_device:chr_file rw_file_perms;
 allow mediaserver tee_device:chr_file rw_file_perms;
 allow mediaserver audio_prop:property_service set;

 # Access audio devices at all.
 allow mediaserver audio_device:chr_file rw_file_perms;

 # XXX Label with a specific type?
 allow mediaserver sysfs:file rw_file_perms;

 # XXX Why?
 allow mediaserver { apk_data_file asec_apk_file }:file { read getattr };

 # Access camera device.
 allow mediaserver camera_device:chr_file rw_file_perms;
 allow mediaserver rpmsg_device:chr_file rw_file_perms;

 # Inter System processes communicate over named pipe (FIFO)
 allow mediaserver system_server:fifo_file r_file_perms;

 # Camera data
 allow mediaserver camera_data_file:dir r_dir_perms;
 allow mediaserver camera_data_file:file r_file_perms;

 # Grant access to audio files to mediaserver
 allow mediaserver audio_data_file:dir ra_dir_perms;
 allow mediaserver audio_data_file:file create_file_perms;

 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow mediaserver qtaguid_proc:file rw_file_perms;
 allow mediaserver qtaguid_device:chr_file r_file_perms;

 # Allow abstract socket connection
 allow mediaserver rild:unix_stream_socket { connectto read write setopt };
	# mediaserver - multimedia daemon
	type mediaserver, domain;
	permissive mediaserver;
	type mediaserver_exec, exec_type, file_type;

	typeattribute mediaserver mlstrustedsubject;

	net_domain(mediaserver)
	init_daemon_domain(mediaserver)
	unix_socket_connect(mediaserver, property, init)

	r_dir_file(mediaserver, sdcard_type)

	binder_use(mediaserver)
	binder_call(mediaserver, binderservicedomain)
	binder_call(mediaserver, appdomain)
	binder_service(mediaserver)

	allow mediaserver self:process execmem;
	allow mediaserver kernel:system module_request;
	allow mediaserver media_data_file:dir rw_dir_perms;
	allow mediaserver media_data_file:file create_file_perms;
	allow mediaserver app_data_file:dir search;
	allow mediaserver app_data_file:file rw_file_perms;
	allow mediaserver platform_app_data_file:file { getattr read };
	allow mediaserver sdcard_type:file write;
	allow mediaserver graphics_device:chr_file rw_file_perms;
	allow mediaserver video_device:chr_file rw_file_perms;
	allow mediaserver audio_device:dir r_dir_perms;
	allow mediaserver qemu_device:chr_file rw_file_perms;
	allow mediaserver tee_device:chr_file rw_file_perms;
	allow mediaserver audio_prop:property_service set;

	# Access audio devices at all.
	allow mediaserver audio_device:chr_file rw_file_perms;

	# XXX Label with a specific type?
	allow mediaserver sysfs:file rw_file_perms;

	# XXX Why?
	allow mediaserver { apk_data_file asec_apk_file }:file { read getattr };

	# Access camera device.
	allow mediaserver camera_device:chr_file rw_file_perms;
	allow mediaserver rpmsg_device:chr_file rw_file_perms;

	# Inter System processes communicate over named pipe (FIFO)
	allow mediaserver system_server:fifo_file r_file_perms;

	# Camera data
	allow mediaserver camera_data_file:dir r_dir_perms;
	allow mediaserver camera_data_file:file r_file_perms;

	# Grant access to audio files to mediaserver
	allow mediaserver audio_data_file:dir ra_dir_perms;
	allow mediaserver audio_data_file:file create_file_perms;

	# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
	allow mediaserver qtaguid_proc:file rw_file_perms;
	allow mediaserver qtaguid_device:chr_file r_file_perms;

	# Allow abstract socket connection
	allow mediaserver rild:unix_stream_socket { connectto read write setopt };