Add SELinux policy for mediacodec_samsung
mediacodec_samsung is separated from mediacodec for mfc encoder/decoder. Add assumption from mediacodec.te as well. Bug: 204718809 Test: boot to home Change-Id: I67ce385903cf5abd2ba9dc62b7229320b3f7daa9
This commit is contained in:
wenchangliu
Wen Chang Liu
parent
ecdcc0f739
commit
4bb1061c2d
1 changed files with 10 additions and 0 deletions
|
|
@ -15,3 +15,13 @@ allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms;
|
|||
hal_client_domain(mediacodec_samsung, hal_graphics_allocator)
|
||||
|
||||
crash_dump_fallback(mediacodec_samsung)
|
||||
|
||||
# mediacodec_samsung should never execute any executable without a domain transition
|
||||
neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *;
|
||||
neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue