drmserver: audit permissions for /data/app We would like to assert that only PackageManager can make modifications to /data/app. However, I first need to remove some existing permissions that seem like they are no longer used (as per jtinker@). Add audit statements to confirm. Test: build Change-Id: Ie5ec5199f7e2f862c4d16d8c86b9b0db6fbe481c

commit: 5e6d60a2a5b2a12a677824fd8f41af5885fa565b [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Wed Dec 09 09:16:51 2020 +0100
committer: Jeff Vander Stoep <jeffv@google.com> Wed Dec 09 09:16:51 2020 +0100
tree: 02728344ca6063e908f275e0cfe469fc481d820f
parent: 2543715187831f3f1e99c0ad864e79ce254111fe [diff]
diff --git a/public/drmserver.te b/public/drmserver.te
index e2c6638..a24ad41 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te

@@ -30,7 +30,9 @@
 # /data/app/tlcd_sock socket file.
 # Clearly, /data/app is the most logical place to create a socket.  Not.
 allow drmserver apk_data_file:dir rw_dir_perms;
+auditallow drmserver apk_data_file:dir { add_name write };
 allow drmserver drmserver_socket:sock_file create_file_perms;
+auditallow drmserver drmserver_socket:sock_file create;
 # Delete old socket file if present.
 allow drmserver apk_data_file:sock_file unlink;
commit	5e6d60a2a5b2a12a677824fd8f41af5885fa565b	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Wed Dec 09 09:16:51 2020 +0100
committer	Jeff Vander Stoep <jeffv@google.com>	Wed Dec 09 09:16:51 2020 +0100
tree	02728344ca6063e908f275e0cfe469fc481d820f
parent	2543715187831f3f1e99c0ad864e79ce254111fe [diff]