add sepolicy type for widevine/drm hal in system Bug: 371777025 Test: lunch qemu_trusty_arm64-trunk_staging-userdebug Change-Id: I4eb0cbd376ad598c6b9dc7a9ed32e696225bc253

commit: ea494f23bdc82ea546affd669a1ed7157b7dfa43 [log] [tgz]
author: Armelle Laine <armellel@google.com> Fri Jan 24 23:32:02 2025 +0000
committer: Armelle Laine <armellel@google.com> Sun Feb 23 07:45:13 2025 +0000
tree: b92934d0b801a4b9108f61e86c4b38a903ab7bab
parent: 87df87e2f4bc35e7ba6129d5057c6091cbc2d8ae [diff] [blame]
diff --git a/private/hal_drm.te b/private/hal_drm.te
index 211fbb7..f24c326 100644
--- a/private/hal_drm.te
+++ b/private/hal_drm.te

@@ -33,7 +33,7 @@
 allow hal_drm_server shell:fifo_file write;
 
 # Allow access to ion memory allocation device
-allow hal_drm ion_device:chr_file rw_file_perms;
+allow { hal_drm -hal_widevine_system } ion_device:chr_file rw_file_perms;
 allow hal_drm hal_graphics_allocator:fd use;
 
 # Allow access to hidl_memory allocation service
@@ -42,9 +42,9 @@
 # Allow access to fds allocated by mediaserver
 allow hal_drm mediaserver:fd use;
 
-allow hal_drm sysfs:file r_file_perms;
+allow { hal_drm -hal_widevine_system } sysfs:file r_file_perms;
 
-allow hal_drm tee_device:chr_file rw_file_perms;
+allow { hal_drm -hal_widevine_system } tee_device:chr_file rw_file_perms;
 
 allow hal_drm_server { appdomain -isolated_app }:fd use;
commit	ea494f23bdc82ea546affd669a1ed7157b7dfa43	[log] [tgz]
author	Armelle Laine <armellel@google.com>	Fri Jan 24 23:32:02 2025 +0000
committer	Armelle Laine <armellel@google.com>	Sun Feb 23 07:45:13 2025 +0000
tree	b92934d0b801a4b9108f61e86c4b38a903ab7bab
parent	87df87e2f4bc35e7ba6129d5057c6091cbc2d8ae [diff] [blame]