Switch DRM HAL policy to _client/_server
This switches DRM HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of DRM HAL.
Domains which are clients of DRM HAL, such as mediadrmserver domain,
are granted rules targeting hal_drm only when the DRM HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting hal_drm
are not granted to client domains.
Domains which offer a binderized implementation of DRM HAL, such as
hal_drm_default domain, are always granted rules targeting hal_drm.
Test: Play movie using Google Play Movies
Test: Play movie using Netflix
Bug: 34170079
Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9
diff --git a/public/attributes b/public/attributes
index 5c43d5e..281724e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -135,6 +135,8 @@
attribute hal_configstore;
attribute hal_contexthub;
attribute hal_drm;
+attribute hal_drm_client;
+attribute hal_drm_server;
attribute hal_dumpstate;
attribute hal_fingerprint;
attribute hal_gatekeeper;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 79b385f..05fe347 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -1,5 +1,6 @@
-## call into system_server process (for invoking callbacks)
-binder_call(hal_drm, mediadrmserver)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_drm_client, hal_drm_server)
+binder_call(hal_drm_server, hal_drm_client)
# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;
@@ -50,4 +51,4 @@
neverallow hal_drm { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
\ No newline at end of file
+neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 8835585..9eb597c 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -9,7 +9,7 @@
binder_call(mediadrmserver, binderservicedomain)
binder_call(mediadrmserver, appdomain)
binder_service(mediadrmserver)
-binder_call(mediadrmserver, hal_drm)
+hal_client_domain(mediadrmserver, hal_drm)
add_service(mediadrmserver, mediadrmserver_service)
allow mediadrmserver mediaserver_service:service_manager find;
@@ -17,56 +17,6 @@
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
-### Rules needed when DRM HAL runs inside mediadrmserver process.
-### These rules should eventually be granted only when needed.
-# Required by Widevine DRM (b/22990512)
-allow mediadrmserver self:process execmem;
-
-# System file accesses.
-allow mediadrmserver system_file:dir r_dir_perms;
-allow mediadrmserver system_file:file r_file_perms;
-allow mediadrmserver system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data.
-allow mediadrmserver system_data_file:dir { search getattr };
-allow mediadrmserver system_data_file:file { getattr read };
-allow mediadrmserver system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(mediadrmserver, cgroup)
-allow mediadrmserver cgroup:dir { search write };
-allow mediadrmserver cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow mediadrmserver ion_device:chr_file rw_file_perms;
-allow mediadrmserver hal_graphics_allocator:fd use;
-
-# Allow access to app_data and media_data_files
-allow mediadrmserver media_data_file:dir create_dir_perms;
-allow mediadrmserver media_data_file:file create_file_perms;
-allow mediadrmserver media_data_file:file { getattr read };
-
-allow mediadrmserver tee_device:chr_file rw_file_perms;
-
-# XXX Label with a specific type?
-allow mediadrmserver sysfs:file r_file_perms;
-
-# Connect to tee service.
-allow mediadrmserver tee:unix_stream_socket connectto;
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Permit reading device's serial number from system properties
-get_prop(mediadrmserver, serialno_prop)
-###
-
-### Rules needed when DRM HAL runs outside of mediadrmserver process.
-### These rules should eventually be granted only when needed.
-hwbinder_use(mediadrmserver)
-###
-
###
### neverallow rules
###