summaryrefslogtreecommitdiff
path: root/prebuilts/api/32.0/private/mediatuner.te
diff options
context:
space:
mode:
Diffstat (limited to 'prebuilts/api/32.0/private/mediatuner.te')
-rw-r--r--prebuilts/api/32.0/private/mediatuner.te30
1 files changed, 30 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/mediatuner.te b/prebuilts/api/32.0/private/mediatuner.te
new file mode 100644
index 000000000..413d2e545
--- /dev/null
+++ b/prebuilts/api/32.0/private/mediatuner.te
@@ -0,0 +1,30 @@
+# mediatuner - mediatuner daemon
+type mediatuner, domain;
+type mediatuner_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediatuner coredomain;
+
+init_daemon_domain(mediatuner)
+hal_client_domain(mediatuner, hal_tv_tuner)
+
+binder_use(mediatuner)
+binder_call(mediatuner, appdomain)
+binder_service(mediatuner)
+
+add_service(mediatuner, mediatuner_service)
+allow mediatuner system_server:fd use;
+allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
+allow mediatuner package_native_service:service_manager find;
+binder_call(mediatuner, system_server)
+
+###
+### neverallow rules
+###
+
+# mediatuner should never execute any executable without a
+# domain transition
+neverallow mediatuner { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 06:13:40 +0000