public/mediaanalytics.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # mediaanalytics - daemon for collecting media analytics data
 type mediaanalytics, domain;
 type mediaanalytics_exec, exec_type, file_type;


 binder_use(mediaanalytics)
 binder_call(mediaanalytics, binderservicedomain)
 binder_service(mediaanalytics)

 allow mediaanalytics mediaanalytics_service:service_manager add;

 allow mediaanalytics system_server:fd use;

 r_dir_file(mediaanalytics, cgroup)
 allow mediaanalytics proc_meminfo:file r_file_perms;

 ###
 ### neverallow rules
 ###

 # mediaanalytics should never execute any executable without a
 # domain transition
 neverallow mediaanalytics { file_type fs_type }:file execute_no_trans;

 # mediaanalytics should never need network access. Disallow network sockets.
 neverallow mediaanalytics domain:{ tcp_socket udp_socket rawip_socket } *;
	# mediaanalytics - daemon for collecting media analytics data
	type mediaanalytics, domain;
	type mediaanalytics_exec, exec_type, file_type;


	binder_use(mediaanalytics)
	binder_call(mediaanalytics, binderservicedomain)
	binder_service(mediaanalytics)

	allow mediaanalytics mediaanalytics_service:service_manager add;

	allow mediaanalytics system_server:fd use;

	r_dir_file(mediaanalytics, cgroup)
	allow mediaanalytics proc_meminfo:file r_file_perms;

	###
	### neverallow rules
	###

	# mediaanalytics should never execute any executable without a
	# domain transition
	neverallow mediaanalytics { file_type fs_type }:file execute_no_trans;

	# mediaanalytics should never need network access. Disallow network sockets.
	neverallow mediaanalytics domain:{ tcp_socket udp_socket rawip_socket } *;