Nick Kralevich | 748fdef | 2013-07-12 16:33:29 -0700 | [diff] [blame] | 1 | ### |
| 2 | ### Apps signed with the media key. |
| 3 | ### |
| 4 | |
| 5 | type media_app, domain; |
Nick Kralevich | 748fdef | 2013-07-12 16:33:29 -0700 | [diff] [blame] | 6 | app_domain(media_app) |
| 7 | platform_app_domain(media_app) |
Nick Kralevich | 2e7a301 | 2014-01-10 23:05:25 -0800 | [diff] [blame] | 8 | binder_service(media_app) |
Nick Kralevich | 748fdef | 2013-07-12 16:33:29 -0700 | [diff] [blame] | 9 | # Access the network. |
| 10 | net_domain(media_app) |
Stephen Smalley | 5637099 | 2013-10-23 13:12:55 -0400 | [diff] [blame] | 11 | # Access /dev/mtp_usb. |
| 12 | allow media_app mtp_device:chr_file rw_file_perms; |
| 13 | # Write to /cache. |
| 14 | allow media_app cache_file:dir rw_dir_perms; |
| 15 | allow media_app cache_file:file create_file_perms; |
| 16 | # Stat /cache/lost+found |
| 17 | allow media_app unlabeled:file getattr; |
| 18 | allow media_app unlabeled:dir getattr; |
| 19 | # Stat /cache/backup |
| 20 | allow media_app cache_backup_file:file getattr; |
| 21 | allow media_app cache_backup_file:dir getattr; |
| 22 | # Read files in the rootdir (in particular, file_contexts for restorecon). |
| 23 | allow media_app rootfs:file r_file_perms; |
| 24 | allow media_app download_file:dir rw_dir_perms; |
| 25 | allow media_app download_file:file create_file_perms; |
| 26 | # Allow platform apps to mark platform app data files as download files |
Nick Kralevich | 748fdef | 2013-07-12 16:33:29 -0700 | [diff] [blame] | 27 | relabelto_domain(media_app) |
Stephen Smalley | 5637099 | 2013-10-23 13:12:55 -0400 | [diff] [blame] | 28 | allow media_app platform_app_data_file:dir relabelfrom; |
Nick Kralevich | 748fdef | 2013-07-12 16:33:29 -0700 | [diff] [blame] | 29 | allow media_app download_file:dir relabelto; |