public/android_hardware_audio_2_0_service.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # android_hardware_audio_2_0_service - audio services daemon
 type android_hardware_audio_2_0_service, domain;
 type android_hardware_audio_2_0_service_exec, exec_type, file_type;

 hwbinder_use(android_hardware_audio_2_0_service)
 binder_call(android_hardware_audio_2_0_service, audioserver)

 allow android_hardware_audio_2_0_service ion_device:chr_file r_file_perms;

 allow android_hardware_audio_2_0_service system_file:dir { open read };

 userdebug_or_eng(`
   # used for pcm capture for debug.
   allow android_hardware_audio_2_0_service audiohal_data_file:dir create_dir_perms;
   allow android_hardware_audio_2_0_service audiohal_data_file:file create_file_perms;
 ')

 r_dir_file(android_hardware_audio_2_0_service, proc)
 allow android_hardware_audio_2_0_service audio_device:dir r_dir_perms;
 allow android_hardware_audio_2_0_service audio_device:chr_file rw_file_perms;

 # Needed on some devices for playing audio on paired BT device,
 # but seems appropriate for all devices.
 unix_socket_connect(android_hardware_audio_2_0_service, bluetooth, bluetooth)

 ###
 ### neverallow rules
 ###

 # android_hardware_audio_2_0_service should never execute any executable without
 # a domain transition
 neverallow android_hardware_audio_2_0_service { file_type fs_type }:file execute_no_trans;

 # android_hardware_audio_2_0_service should never need network access.
 # Disallow network sockets.
 neverallow android_hardware_audio_2_0_service domain:{ tcp_socket udp_socket rawip_socket } *;
	# android_hardware_audio_2_0_service - audio services daemon
	type android_hardware_audio_2_0_service, domain;
	type android_hardware_audio_2_0_service_exec, exec_type, file_type;

	hwbinder_use(android_hardware_audio_2_0_service)
	binder_call(android_hardware_audio_2_0_service, audioserver)

	allow android_hardware_audio_2_0_service ion_device:chr_file r_file_perms;

	allow android_hardware_audio_2_0_service system_file:dir { open read };

	userdebug_or_eng(`
	# used for pcm capture for debug.
	allow android_hardware_audio_2_0_service audiohal_data_file:dir create_dir_perms;
	allow android_hardware_audio_2_0_service audiohal_data_file:file create_file_perms;
	')

	r_dir_file(android_hardware_audio_2_0_service, proc)
	allow android_hardware_audio_2_0_service audio_device:dir r_dir_perms;
	allow android_hardware_audio_2_0_service audio_device:chr_file rw_file_perms;

	# Needed on some devices for playing audio on paired BT device,
	# but seems appropriate for all devices.
	unix_socket_connect(android_hardware_audio_2_0_service, bluetooth, bluetooth)

	###
	### neverallow rules
	###

	# android_hardware_audio_2_0_service should never execute any executable without
	# a domain transition
	neverallow android_hardware_audio_2_0_service { file_type fs_type }:file execute_no_trans;

	# android_hardware_audio_2_0_service should never need network access.
	# Disallow network sockets.
	neverallow android_hardware_audio_2_0_service domain:{ tcp_socket udp_socket rawip_socket } *;