Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / bc8dc3aa9d03598fc69df3e0b3990cddcf807616^! / . / prebuilts / api / 29.0 / public / hal_drm.te
commitbc8dc3aa9d03598fc69df3e0b3990cddcf807616[log] [tgz]
authorTri Vo <trong@google.com>Sun May 26 13:17:08 2019 -0700
committerTri Vo <trong@google.com>Sun May 26 14:19:26 2019 -0700
tree68f796377c8252d188bca113981996217ed28eb3
parentb693197a34902c7d92006b2173a69d9620ee3e9f [diff] [blame]
DO NOT MERGE Fake 29.0 sepolicy prebuilts

I took current AOSP policy as base, then removed sepolicy so that the
set of type and attributes was a subset of types and attributes in Q
sepolicy, with exception of those that have not yet been cleand up in
current AOSP:

mediaswcodec_server
netd_socket
mediaextractor_update_service
thermalserviced
thermalserviced_exec

Bug: 133196056
Test: n/a
Change-Id: I2cbe749777684146114c89e1e6fc3f07400c0ae5

diff --git a/prebuilts/api/29.0/public/hal_drm.te b/prebuilts/api/29.0/public/hal_drm.te
new file mode 100644
index 0000000..bfee2d3
--- /dev/null
+++ b/prebuilts/api/29.0/public/hal_drm.te

@@ -0,0 +1,47 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_drm_client, hal_drm_server)
+binder_call(hal_drm_server, hal_drm_client)
+
+hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
+# Required by Widevine DRM (b/22990512)
+allow hal_drm self:process execmem;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_drm, serialno_prop)
+
+# Read files already opened under /data
+allow hal_drm system_data_file:file { getattr read };
+
+# Read access to pseudo filesystems
+r_dir_file(hal_drm, cgroup)
+allow hal_drm cgroup:dir { search write };
+allow hal_drm cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_drm ion_device:chr_file rw_file_perms;
+allow hal_drm hal_graphics_allocator:fd use;
+
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
+allow hal_drm sysfs:file r_file_perms;
+
+allow hal_drm tee_device:chr_file rw_file_perms;
+
+# only allow unprivileged socket ioctl commands
+allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# hal_drm should never execute any executable without a
+# domain transition
+neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;