Add mediadrm service Part of media security hardening This is an intermediate step toward moving mediadrm to a new service separate from mediaserver. This first step allows mediadrmservice to run based on the system property media.mediadrmservice.enable so it can be selectively enabled on devices that support using native_handles for secure buffers. bug: 22990512 Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2

commit: 0d5bac13e1a98a942689f3b2183ed6f7ff66b976 [log] [tgz]
author: Jeff Tinker <jtinker@google.com> Fri Feb 12 09:05:42 2016 -0800
committer: Jeff Tinker <jtinker@google.com> Fri Feb 12 19:38:22 2016 -0800
tree: b1fc4ef577c28853964dfbcc3b548e2999380253
parent: 9f9444c5e9f19133de598275b23c2b3b580c199f [diff]
diff --git a/file_contexts b/file_contexts
index 94702b4..56ed390 100644
--- a/file_contexts
+++ b/file_contexts

@@ -165,6 +165,7 @@
 /system/bin/netd	u:object_r:netd_exec:s0
 /system/bin/rild	u:object_r:rild_exec:s0
 /system/bin/audioserver	u:object_r:audioserver_exec:s0
+/system/bin/mediadrmserver	u:object_r:mediadrmserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0

diff --git a/mediadrmserver.te b/mediadrmserver.te
new file mode 100644
index 0000000..f4b5ecc
--- /dev/null
+++ b/mediadrmserver.te

@@ -0,0 +1,63 @@
+# mediadrmserver - mediadrm daemon
+type mediadrmserver, domain;
+type mediadrmserver_exec, exec_type, file_type;
+
+typeattribute mediadrmserver mlstrustedsubject;
+
+net_domain(mediadrmserver)
+init_daemon_domain(mediadrmserver)
+
+binder_use(mediadrmserver)
+binder_call(mediadrmserver, binderservicedomain)
+binder_call(mediadrmserver, appdomain)
+binder_service(mediadrmserver)
+
+# Required by Widevine DRM (b/22990512)
+allow mediadrmserver self:process execmem;
+
+# System file accesses.
+allow mediadrmserver system_file:dir r_dir_perms;
+allow mediadrmserver system_file:file r_file_perms;
+allow mediadrmserver system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data.
+allow mediadrmserver system_data_file:dir { search getattr };
+allow mediadrmserver system_data_file:file { getattr read };
+allow mediadrmserver system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(mediadrmserver, cgroup)
+allow mediadrmserver cgroup:dir { search write };
+allow mediadrmserver cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow mediadrmserver ion_device:chr_file rw_file_perms;
+
+# Allow access to app_data and media_data_files
+allow mediadrmserver media_data_file:dir create_dir_perms;
+allow mediadrmserver media_data_file:file create_file_perms;
+
+allow mediadrmserver tee_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow mediadrmserver sysfs:file r_file_perms;
+
+# Connect to tee service.
+allow mediadrmserver tee:unix_stream_socket connectto;
+
+allow mediadrmserver mediadrmserver_service:service_manager { add find };
+allow mediadrmserver mediaserver_service:service_manager { add find };
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

diff --git a/service.te b/service.te
index 24118ff..34bd50a 100644
--- a/service.te
+++ b/service.te

@@ -11,6 +11,7 @@
 type mediaserver_service,       service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
+type mediadrmserver_service,    service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;

diff --git a/service_contexts b/service_contexts
index fe58082..39e004c 100644
--- a/service_contexts
+++ b/service_contexts

@@ -72,6 +72,7 @@
 media.resource_manager                    u:object_r:mediaserver_service:s0
 media.radio                               u:object_r:audioserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
+media.drm                                 u:object_r:mediadrmserver_service:s0
 media_projection                          u:object_r:media_projection_service:s0
 media_resource_monitor                    u:object_r:media_session_service:s0
 media_router                              u:object_r:media_router_service:s0

diff --git a/system_server.te b/system_server.te
index dbe93e4..2e131b3 100644
--- a/system_server.te
+++ b/system_server.te

@@ -139,12 +139,13 @@
 binder_service(system_server)
 
 # Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { audioserver cameraserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { audioserver cameraserver mediaserver mediacodec mediadrmserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
 
 # Read /proc/pid files for dumping stack traces of native processes.
 r_dir_file(system_server, audioserver)
 r_dir_file(system_server, cameraserver)
 r_dir_file(system_server, mediaserver)
+r_dir_file(system_server, mediadrmserver)
 r_dir_file(system_server, mediaextractor)
 r_dir_file(system_server, mediacodec)
 r_dir_file(system_server, sdcardd)
@@ -157,6 +158,10 @@
 allow system_server mediaserver:tcp_socket rw_socket_perms;
 allow system_server mediaserver:udp_socket rw_socket_perms;
 
+# Use sockets received over binder from various services.
+allow system_server mediadrmserver:tcp_socket rw_socket_perms;
+allow system_server mediadrmserver:udp_socket rw_socket_perms;
+
 # Check SELinux permissions.
 selinux_check_access(system_server)
 
@@ -390,6 +395,7 @@
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
+allow system_server mediadrmserver_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };

diff --git a/untrusted_app.te b/untrusted_app.te
index 2d85bfc..30364b0 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te

@@ -73,6 +73,7 @@
 allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app mediaextractor_service:service_manager find;
 allow untrusted_app mediacodec_service:service_manager find;
+allow untrusted_app mediadrmserver_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
commit	0d5bac13e1a98a942689f3b2183ed6f7ff66b976	[log] [tgz]
author	Jeff Tinker <jtinker@google.com>	Fri Feb 12 09:05:42 2016 -0800
committer	Jeff Tinker <jtinker@google.com>	Fri Feb 12 19:38:22 2016 -0800
tree	b1fc4ef577c28853964dfbcc3b548e2999380253
parent	9f9444c5e9f19133de598275b23c2b3b580c199f [diff]