Add sepolicy for drm HALs
bug:32815560
Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f
diff --git a/private/file_contexts b/private/file_contexts
index 05b6731..95b2782 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -245,6 +245,7 @@
/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
/system/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
/system/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
+/system/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/system/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
/system/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/system/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
diff --git a/private/hal_drm_default.te b/private/hal_drm_default.te
new file mode 100644
index 0000000..6e4df5b
--- /dev/null
+++ b/private/hal_drm_default.te
@@ -0,0 +1,5 @@
+type hal_drm_default, domain;
+hal_impl_domain(hal_drm_default, hal_drm)
+
+type hal_drm_default_exec, exec_type, file_type;
+init_daemon_domain(hal_drm_default)
diff --git a/public/attributes b/public/attributes
index 299532b..1aacd9e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -122,6 +122,7 @@
attribute hal_bluetooth;
attribute hal_camera;
attribute hal_contexthub;
+attribute hal_drm;
attribute hal_dumpstate;
attribute hal_fingerprint;
attribute hal_gatekeeper;
diff --git a/public/domain.te b/public/domain.te
index 09958f0..ca86836 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -378,6 +378,7 @@
domain
-adbd
-dumpstate
+ -hal_drm
-init
-mediadrmserver
-recovery
diff --git a/public/hal_drm.te b/public/hal_drm.te
new file mode 100644
index 0000000..79b385f
--- /dev/null
+++ b/public/hal_drm.te
@@ -0,0 +1,53 @@
+## call into system_server process (for invoking callbacks)
+binder_call(hal_drm, mediadrmserver)
+
+# Required by Widevine DRM (b/22990512)
+allow hal_drm self:process execmem;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_drm, serialno_prop)
+
+# System file accesses
+allow hal_drm system_file:dir r_dir_perms;
+allow hal_drm system_file:file r_file_perms;
+allow hal_drm system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data
+allow hal_drm system_data_file:dir { search getattr };
+allow hal_drm system_data_file:file { getattr read };
+allow hal_drm system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems
+r_dir_file(hal_drm, cgroup)
+allow hal_drm cgroup:dir { search write };
+allow hal_drm cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_drm ion_device:chr_file rw_file_perms;
+allow hal_drm hal_graphics_allocator:fd use;
+
+# Allow access to app_data and media_data_files
+allow hal_drm media_data_file:dir create_dir_perms;
+allow hal_drm media_data_file:file create_file_perms;
+allow hal_drm media_data_file:file { getattr read };
+
+allow hal_drm sysfs:file r_file_perms;
+
+# Connect to tee service.
+allow hal_drm tee:unix_stream_socket connectto;
+allow hal_drm tee_device:chr_file rw_file_perms;
+
+# only allow unprivileged socket ioctl commands
+allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# hal_drm should never execute any executable without a
+# domain transition
+neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
\ No newline at end of file
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 8173657..c695432 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -10,61 +10,12 @@
binder_call(mediadrmserver, appdomain)
binder_service(mediadrmserver)
-# Required by Widevine DRM (b/22990512)
-allow mediadrmserver self:process execmem;
-
-# System file accesses.
-allow mediadrmserver system_file:dir r_dir_perms;
-allow mediadrmserver system_file:file r_file_perms;
-allow mediadrmserver system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data.
-allow mediadrmserver system_data_file:dir { search getattr };
-allow mediadrmserver system_data_file:file { getattr read };
-allow mediadrmserver system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(mediadrmserver, cgroup)
-allow mediadrmserver cgroup:dir { search write };
-allow mediadrmserver cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow mediadrmserver ion_device:chr_file rw_file_perms;
-allow mediadrmserver hal_graphics_allocator:fd use;
-
-# Allow access to app_data and media_data_files
-allow mediadrmserver media_data_file:dir create_dir_perms;
-allow mediadrmserver media_data_file:file create_file_perms;
-allow mediadrmserver media_data_file:file { getattr read };
-
-allow mediadrmserver tee_device:chr_file rw_file_perms;
-
-# XXX Label with a specific type?
-allow mediadrmserver sysfs:file r_file_perms;
-
-# Connect to tee service.
-allow mediadrmserver tee:unix_stream_socket connectto;
-
allow mediadrmserver mediadrmserver_service:service_manager { add find };
allow mediadrmserver mediaserver_service:service_manager { add find };
allow mediadrmserver mediametrics_service:service_manager find;
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
-# only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Permit reading device's serial number from system properties
-get_prop(mediadrmserver, serialno_prop)
-
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+# Inherit hal_drm access rules until DRM HAL implementation is
+# moved out of mediadrmserver
+hal_impl_domain(mediadrmserver, hal_drm)
diff --git a/public/system_server.te b/public/system_server.te
index 5dc99ab..8485480 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -181,6 +181,7 @@
binder_call(system_server, hal_vibrator)
binder_call(system_server, hal_vr)
binder_call(system_server, hal_wifi)
+binder_call(system_server, hal_drm)
binder_call(system_server, wpa)
# Talk to tombstoned to get ANR traces.