| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 1 | typeattribute drmserver coredomain; |
| 2 | |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 3 | init_daemon_domain(drmserver) |
| dcashman | 2e00e63 | 2016-10-12 14:58:09 -0700 | [diff] [blame] | 4 | |
| 5 | type_transition drmserver apk_data_file:sock_file drmserver_socket; |
| Alex Klyubin | 2f6151e | 2017-03-30 17:39:00 -0700 | [diff] [blame] | 6 | |
| 7 | typeattribute drmserver_socket coredomain_socket; |
| Inseob Kim | 832e17b | 2020-05-25 15:36:44 +0900 | [diff] [blame] | 8 | |
| 9 | get_prop(drmserver, drm_service_config_prop) |
| Inseob Kim | 75806ef | 2024-03-27 17:18:41 +0900 | [diff] [blame] | 10 | |
| 11 | typeattribute drmserver mlstrustedsubject; |
| 12 | |
| 13 | net_domain(drmserver) |
| 14 | |
| 15 | # Perform Binder IPC to system server. |
| 16 | binder_use(drmserver) |
| 17 | binder_call(drmserver, system_server) |
| 18 | binder_call(drmserver, appdomain) |
| 19 | binder_call(drmserver, mediametrics) |
| 20 | binder_service(drmserver) |
| 21 | # Inherit or receive open files from system_server. |
| 22 | allow drmserver system_server:fd use; |
| 23 | |
| 24 | # Perform Binder IPC to mediaserver |
| 25 | binder_call(drmserver, mediaserver) |
| 26 | |
| 27 | allow drmserver { sdcard_type fuse }:dir search; |
| 28 | allow drmserver drm_data_file:dir create_dir_perms; |
| 29 | allow drmserver drm_data_file:file create_file_perms; |
| 30 | allow drmserver { app_data_file privapp_data_file }:file { read write getattr map }; |
| 31 | allow drmserver { sdcard_type fuse }:file { read write getattr map }; |
| 32 | r_dir_file(drmserver, efs_file) |
| 33 | |
| 34 | # /data/app/tlcd_sock socket file. |
| 35 | # Clearly, /data/app is the most logical place to create a socket. Not. |
| 36 | allow drmserver apk_data_file:dir rw_dir_perms; |
| 37 | auditallow drmserver apk_data_file:dir { add_name write }; |
| 38 | allow drmserver drmserver_socket:sock_file create_file_perms; |
| 39 | auditallow drmserver drmserver_socket:sock_file create; |
| 40 | # Delete old socket file if present. |
| 41 | allow drmserver apk_data_file:sock_file unlink; |
| 42 | |
| 43 | # After taking a video, drmserver looks at the video file. |
| 44 | r_dir_file(drmserver, media_rw_data_file) |
| 45 | |
| 46 | # Read resources from open apk files passed over Binder. |
| 47 | allow drmserver apk_data_file:file { read getattr map }; |
| 48 | allow drmserver asec_apk_file:file { read getattr map }; |
| 49 | allow drmserver ringtone_file:file { read getattr map }; |
| 50 | |
| 51 | # Read /data/data/com.android.providers.telephony files passed over Binder. |
| 52 | allow drmserver radio_data_file:file { read getattr map }; |
| 53 | |
| 54 | # /oem access |
| 55 | allow drmserver oemfs:dir search; |
| 56 | allow drmserver oemfs:file r_file_perms; |
| 57 | |
| 58 | # overlay package access |
| 59 | allow drmserver vendor_overlay_file:file { read map }; |
| 60 | |
| 61 | add_service(drmserver, drmserver_service) |
| 62 | allow drmserver permission_service:service_manager find; |
| 63 | allow drmserver mediametrics_service:service_manager find; |
| 64 | |
| 65 | selinux_check_access(drmserver) |
| 66 | |
| 67 | r_dir_file(drmserver, cgroup) |
| 68 | r_dir_file(drmserver, cgroup_v2) |
| 69 | r_dir_file(drmserver, system_file) |