blob: 65f38636b0e11c7297556a0325769f54d8eab1c2 [file] [log] [blame]
###
### Apps signed with the media key.
###
type media_app, domain;
app_domain(media_app)
platform_app_domain(media_app)
binder_service(media_app)
# Access the network.
net_domain(media_app)
# Access /dev/mtp_usb.
allow media_app mtp_device:chr_file rw_file_perms;
# Write to /cache.
allow media_app cache_file:dir rw_dir_perms;
allow media_app cache_file:file create_file_perms;
# Stat /cache/lost+found
allow media_app unlabeled:file getattr;
allow media_app unlabeled:dir getattr;
# Stat /cache/backup
allow media_app cache_backup_file:file getattr;
allow media_app cache_backup_file:dir getattr;
# Read files in the rootdir (in particular, file_contexts for restorecon).
allow media_app rootfs:file r_file_perms;
allow media_app download_file:dir rw_dir_perms;
allow media_app download_file:file create_file_perms;
# Allow platform apps to mark platform app data files as download files
relabelto_domain(media_app)
allow media_app platform_app_data_file:dir relabelfrom;
allow media_app download_file:dir relabelto;