Merge "Generate selinux_policy.xml as part of CTS build."
diff --git a/access_vectors b/access_vectors
index 1b26bce..659fb36 100644
--- a/access_vectors
+++ b/access_vectors
@@ -921,3 +921,14 @@
dump_tombstone
dump_backtrace
}
+
+class drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+}
diff --git a/app.te b/app.te
index 8288ea0..e242152 100644
--- a/app.te
+++ b/app.te
@@ -255,7 +255,7 @@
# Transition to a non-app domain.
# Exception for the shell domain, can transition to runas, etc.
-neverallow { appdomain -shell } ~appdomain:process
+neverallow { appdomain -shell } { domain -appdomain }:process
{ transition dyntransition };
# Write to rootfs.
diff --git a/domain.te b/domain.te
index 015274b..9ae611c 100644
--- a/domain.te
+++ b/domain.te
@@ -159,7 +159,7 @@
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
allow domain servicemanager:service_manager list;
-auditallow domain servicemanager:service_manager list;
+auditallow { domain -dumpstate } servicemanager:service_manager list;
allow domain service_manager_type:service_manager find;
auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
diff --git a/drmserver.te b/drmserver.te
index 14b2f49..2a146b6 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -54,3 +54,5 @@
-drmserver_service
-system_server_service
}:service_manager find;
+
+selinux_check_access(drmserver)
diff --git a/file.te b/file.te
index 99c3839..7df06d3 100644
--- a/file.te
+++ b/file.te
@@ -167,4 +167,4 @@
# type apk_data_file, file_type, data_file_type, fs_type;
# Should be:
# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem *;
+neverallow fs_type file_type:filesystem associate;
diff --git a/mediaserver.te b/mediaserver.te
index 52c593e..3eb078d 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -89,3 +89,15 @@
-system_server_service
-surfaceflinger_service
}:service_manager find;
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
diff --git a/security_classes b/security_classes
index ca8f468..9cd3f1c 100644
--- a/security_classes
+++ b/security_classes
@@ -146,4 +146,5 @@
# debuggerd service
class debuggerd # userspace
+class drmservice # userspace
# FLASK
diff --git a/te_macros b/te_macros
index b2913f3..e211a17 100644
--- a/te_macros
+++ b/te_macros
@@ -367,3 +367,13 @@
define(`service_manager_local_audit_domain', `
typeattribute $1 service_manager_local_audit;
')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+ allow drmserver $1:dir search;
+ allow drmserver $1:file { read open };
+ allow drmserver $1:process getattr;
+')