Merge "Restrict kernel keyring search capability" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index bff3c87..a3e010f 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -858,6 +858,7 @@
/data/system/unsolzygotesocket system_unsolzygote_socket
/data/drm drm_data_file
/data/drm/test drm_data_file
+/data/system/mediadrm mediadrm_system_data_file
/data/resource-cache resourcecache_data_file
/data/resource-cache/test resourcecache_data_file
/data/dalvik-cache dalvikcache_data_file
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 96a05f7..d2820fb 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -45,6 +45,11 @@
allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
allow microdroid_manager self:global_capability_class_set sys_admin;
+# microdroid_manager needs to adjust the priority of the payload process.
+# It requires the sys_nice cap as well.
+allow microdroid_manager microdroid_app:process setsched;
+allow microdroid_manager self:global_capability_class_set sys_nice;
+
# Allow microdroid_manager to remove capabilities from it's capability bounding set.
allow microdroid_manager self:global_capability_class_set setpcap;
diff --git a/private/app.te b/private/app.te
index a32cdb2..3219fbe 100644
--- a/private/app.te
+++ b/private/app.te
@@ -609,6 +609,8 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to various other parts of /data.
+neverallow appdomain mediadrm_system_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
diff --git a/private/file.te b/private/file.te
index 6bdcc39..6de346a 100644
--- a/private/file.te
+++ b/private/file.te
@@ -14,6 +14,9 @@
type fs_bpf_uprobestats, fs_type, bpffs_type;
type fs_bpf_memevents, fs_type, bpffs_type;
+# /data/system/mediadrm
+type mediadrm_system_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 23a895e..2bed8ed 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -596,6 +596,7 @@
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
+/data/system/mediadrm(/.*)? u:object_r:mediadrm_system_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/ota(/.*)? u:object_r:ota_data_file:s0
diff --git a/private/hal_widevine_system.te b/private/hal_widevine_system.te
index 57213b3..a9cae31 100644
--- a/private/hal_widevine_system.te
+++ b/private/hal_widevine_system.te
@@ -5,3 +5,10 @@
init_daemon_domain(hal_widevine_system)
allow hal_widevine_system self:vsock_socket { create_socket_perms_no_ioctl };
+
+get_prop(hal_widevine_system, drm_config_prop)
+get_prop(hal_widevine_system, trusty_widevine_vm_sys_prop)
+
+allow hal_widevine_system mediadrm_system_data_file:dir { create search add_name rw_dir_perms };
+allow hal_widevine_system mediadrm_system_data_file:file { getattr create open read write };
+