commit f58be478de31072203c10df4aa6af3d0a0a5df21
author Robert Shih <robertshih@google.com> Tue Jul 16 14:57:41 2019 -0700
committer Robert Shih <robertshih@google.com> Mon Sep 30 04:51:24 2019 +0000
tree 2f7e5e7f8a0b7fac8368fb551f2682ed096f18ed
parent 3cda2d5c2b58c6daf322099c530669a889f0139e

Allow apps to access hal_drm

Bug: 134787536
Test: MediaDrmClearkeyTest#testClearKeyPlaybackCenc
Change-Id: I931ccdfa3b78c7210f9f94e94b48d2d6908a371d
Merged-In: I931ccdfa3b78c7210f9f94e94b48d2d6908a371d

private/technical_debt.cil

diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 289f69e..fdcd0a3 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -20,6 +20,10 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
 
+; Apps, except isolated apps, are clients of Drm-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_configstore_client;

public/hwservice.te

diff --git a/public/hwservice.te b/public/hwservice.te
index e8d4b1b..69cbe6a 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -18,7 +18,6 @@
 type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_drm_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
@@ -76,10 +75,13 @@
 # - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
 #   Binder service which apps were permitted to access.
 # - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
+# - hal_drm_hwservice: versions > API 29 are designed specifically with
+#   untrusted app access in mind.
 type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hal_cas_hwservice, hwservice_manager_type;
 type hal_codec2_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
 type hal_graphics_allocator_hwservice, hwservice_manager_type;
 type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
 type hal_neuralnetworks_hwservice, hwservice_manager_type;