platform_system_sepolicy/drmserver.te

# drmserver - DRM service
type drmserver, domain;
type drmserver_exec, exec_type, file_type;

init_daemon_domain(drmserver)
typeattribute drmserver mlstrustedsubject;

net_domain(drmserver)

# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system_server)
binder_call(drmserver, appdomain)
binder_service(drmserver)

# Perform Binder IPC to mediaserver
binder_call(drmserver, mediaserver)

allow drmserver sdcard_type:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
allow drmserver app_data_file:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr };
r_dir_file(drmserver, efs_file)

type drmserver_socket, file_type;

# /data/app/tlcd_sock socket file.
# Clearly, /data/app is the most logical place to create a socket.  Not.
allow drmserver apk_data_file:dir rw_dir_perms;
type_transition drmserver apk_data_file:sock_file drmserver_socket;
allow drmserver drmserver_socket:sock_file create_file_perms;
allow drmserver tee:unix_stream_socket connectto;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;

# After taking a video, drmserver looks at the video file.
r_dir_file(drmserver, media_rw_data_file)

# Read resources from open apk files passed over Binder.
allow drmserver apk_data_file:file { read getattr };
allow drmserver asec_apk_file:file { read getattr };

# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr };

# /oem access
allow drmserver oemfs:dir search;
allow drmserver oemfs:file r_file_perms;

allow drmserver drmserver_service:service_manager { add find };
allow drmserver tmp_system_server_service:service_manager find;

service_manager_local_audit_domain(drmserver)
auditallow drmserver {
    tmp_system_server_service
    -permission_service
}:service_manager find;

selinux_check_access(drmserver)
SE Android policy. 2012-01-04 18:33:27 +01:00			`# drmserver - DRM service`
			`type drmserver, domain;`
			`type drmserver_exec, exec_type, file_type;`

			`init_daemon_domain(drmserver)`
Confine drmserver, but leave it permissive for now. Change-Id: I8f344dda3ab9766b4a72c404061f242e054129cd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:35 +01:00			`typeattribute drmserver mlstrustedsubject;`

Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-24 21:06:11 +01:00			`net_domain(drmserver)`

Confine drmserver, but leave it permissive for now. Change-Id: I8f344dda3ab9766b4a72c404061f242e054129cd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:35 +01:00			`# Perform Binder IPC to system server.`
			`binder_use(drmserver)`
			`binder_call(drmserver, system_server)`
			`binder_call(drmserver, appdomain)`
			`binder_service(drmserver)`

			`# Perform Binder IPC to mediaserver`
			`binder_call(drmserver, mediaserver)`

			`allow drmserver sdcard_type:dir search;`
			`allow drmserver drm_data_file:dir create_dir_perms;`
			`allow drmserver drm_data_file:file create_file_perms;`
			`allow drmserver tee_device:chr_file rw_file_perms;`
Introduce asec_public_file type. This new type will allow us to write finer-grained policy concerning asec containers. Some files of these containers need to be world readable. Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> 2014-02-04 17:36:41 +01:00			`allow drmserver app_data_file:file { read write getattr };`
Confine drmserver, but leave it permissive for now. Change-Id: I8f344dda3ab9766b4a72c404061f242e054129cd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:35 +01:00			`allow drmserver sdcard_type:file { read write getattr };`
drmserver: allow looking in efs_file directories We can read any efs_files, but can't look in the directory containing them. Allow it. Without this patch, high resolution movie playback is broken. Addresses the following denial: [ 276.780046] type=1400 audit(1391105234.431:5): avc: denied { search } for pid=125 comm="drmserver" name="/" dev="mmcblk0p1" ino=2 scontext=u:r:drmserver:s0 tcontext=u:object_r:efs_file:s0 tclass=dir Bug: 12819852 Change-Id: Ie9d13a224cef5e229de1bdb78d605841ed387a21 2014-01-31 22:20:20 +01:00			`r_dir_file(drmserver, efs_file)`
Confine drmserver, but leave it permissive for now. Change-Id: I8f344dda3ab9766b4a72c404061f242e054129cd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:35 +01:00
Revert "Move tlcd_sock policy over to manta." This doesn't compile on non-manta devices because of a missing drmserver_socket declaration. external/sepolicy/mediaserver.te":68:ERROR 'unknown type drmserver_socket' at token ';' on line 6764: #line 68 allow mediaserver drmserver_socket:sock_file write; checkpolicy: error(s) encountered while parsing configuration make: * [out/target/product/flo/obj/ETC/sepolicy_intermediates/sepolicy] Error 1 make: * Waiting for unfinished jobs.... This reverts commit 8cd400d3c4a5a9eb9bd8b0392260200bd23e6548. Change-Id: Ib8f07b57008b9ed1165b945057502779e806f0f8 2014-02-04 22:49:01 +01:00			`type drmserver_socket, file_type;`

			`# /data/app/tlcd_sock socket file.`
			`# Clearly, /data/app is the most logical place to create a socket. Not.`
			`allow drmserver apk_data_file:dir rw_dir_perms;`
			`type_transition drmserver apk_data_file:sock_file drmserver_socket;`
			`allow drmserver drmserver_socket:sock_file create_file_perms;`
Confine drmserver, but leave it permissive for now. Change-Id: I8f344dda3ab9766b4a72c404061f242e054129cd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:35 +01:00			`allow drmserver tee:unix_stream_socket connectto;`
Revert "Move tlcd_sock policy over to manta." This doesn't compile on non-manta devices because of a missing drmserver_socket declaration. external/sepolicy/mediaserver.te":68:ERROR 'unknown type drmserver_socket' at token ';' on line 6764: #line 68 allow mediaserver drmserver_socket:sock_file write; checkpolicy: error(s) encountered while parsing configuration make: * [out/target/product/flo/obj/ETC/sepolicy_intermediates/sepolicy] Error 1 make: * Waiting for unfinished jobs.... This reverts commit 8cd400d3c4a5a9eb9bd8b0392260200bd23e6548. Change-Id: Ib8f07b57008b9ed1165b945057502779e806f0f8 2014-02-04 22:49:01 +01:00			`# Delete old socket file if present.`
			`allow drmserver apk_data_file:sock_file unlink;`
fix mediaserver selinux denials. mediaserver needs the ability to read media_rw_data_file files. Allow it. Similarly, this is also needed for drmserver. Addresses the following denials: <5>[ 22.812859] type=1400 audit(1389041093.955:17): avc: denied { read } for pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 22.813103] type=1400 audit(1389041093.955:18): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 22.832041] type=1400 audit(1389041093.975:19): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.357470] type=1400 audit(1389041123.494:29): avc: denied { read } for pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.357717] type=1400 audit(1389041123.494:30): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.382276] type=1400 audit(1389041123.524:31): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Allow anyone who has access to video_device:chr_file to also have read access to video_device:dir. Otherwise, the chracter devices may not be reachable. Bug: 12416198 Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074 2014-01-06 21:39:19 +01:00
			`# After taking a video, drmserver looks at the video file.`
			`r_dir_file(drmserver, media_rw_data_file)`
Allow drmserver and mediaserver to read apk files. Required to support passing resources via open apk files over Binder. Resolves denials such as: avc: denied { read } for pid=31457 comm="SoundPoolThread" path="/mnt/asec/au.com.shiftyjelly.pocketcasts-1/pkg.apk" dev="dm-10" ino=12 scontext=u:r:mediaserver:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file avc: denied { read } for pid=31439 comm="Binder_2" path="/mnt/asec/au.com.shiftyjelly.pocketcasts-1/pkg.apk" dev="dm-10" ino=12 scontext=u:r:drmserver:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file We do not allow open as it is not required (i.e. the files are passed as open files over Binder or local socket and opened by the client). Change-Id: Ib0941df1e9aac8d20621a356d2d212b98471abbc Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-13 20:35:46 +01:00
			`# Read resources from open apk files passed over Binder.`
			`allow drmserver apk_data_file:file { read getattr };`
			`allow drmserver asec_apk_file:file { read getattr };`
Allow reading of radio data files passed over binder. Addresses denials such as: avc: denied { read } for pid=5114 comm="le.android.talk" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { getattr } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { read } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:drmserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { getattr } for pid=9338 comm="MediaLoader" path="/data/data/com.android.providers.telephony/app_parts/PART_1394848620510_image.jpg" dev="mmcblk0p28" ino=287374 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { read } for pid=9896 comm="Binder_7" path="/data/data/com.android.providers.telephony/app_parts/PART_1394594346187_image.jpg" dev="mmcblk0p28" ino=287522 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file This does not allow write denials such as: avc: denied { write } for pid=1728 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394818738798_image.jpg" dev="mmcblk0p28" ino=82279 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file Need to understand whether write access is in fact required. Change-Id: I7693d16cb4f9855909d790d3f16f8bf281764468 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-27 14:45:26 +01:00
			`# Read /data/data/com.android.providers.telephony files passed over Binder.`
			`allow drmserver radio_data_file:file { read getattr };`
Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d 2014-06-06 00:52:02 +02:00
Added sepolicy for oem customization. Bug: 16635599 Change-Id: I69f9089dde1fe68762a38f4d97ddee2c20aaaa9d 2014-09-16 19:00:50 +02:00			`# /oem access`
allow oemfs:dir search mediaserver and drmserver both have permission to read oemfs related files. However, there are no search permissions on the directory, so the files would be unreachable. Grant search permissions on the oemfs directory, so that the files within that directory can be read. Bug: 17954291 Change-Id: I9e36dc7b940bd46774753c1fa07b0f47c36ff0db 2014-10-11 01:11:03 +02:00			`allow drmserver oemfs:dir search;`
Added sepolicy for oem customization. Bug: 16635599 Change-Id: I69f9089dde1fe68762a38f4d97ddee2c20aaaa9d 2014-09-16 19:00:50 +02:00			`allow drmserver oemfs:file r_file_perms;`
resolved conflicts for merge of 0a20b57f to lmp-dev-plus-aosp Change-Id: I6a0d56c23888535964e1559cb8ad63fedd27db47 2014-09-16 22:04:06 +02:00
Restrict service_manager find and list access. All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a 2014-12-12 01:01:27 +01:00			`allow drmserver drmserver_service:service_manager { add find };`
Make system_server_service an attribute. Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef 2014-12-17 00:45:26 +01:00			`allow drmserver tmp_system_server_service:service_manager find;`
Resync lmp-dev-plus-aosp with master A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp. This is expected, but it's causing unnecessary merge conflicts when handling AOSP contributions. Resolve those conflicts. This is essentially a revert of bf696327246833c9aba55a645e6c433e9f321e27 for lmp-dev-plus-aosp only. Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c 2014-07-26 00:19:47 +02:00
Record observed system_server servicemanager service requests. Also formally allow dumpstate access to all services and grant system_server access to address the following non-system_server_service entries: avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager Bug: 18106000 Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602 2015-03-03 20:20:15 +01:00			`service_manager_local_audit_domain(drmserver)`
			`auditallow drmserver {`
			`tmp_system_server_service`
			`-permission_service`
			`}:service_manager find;`

Add fine grained access control to DrmManagerService. Add policies supporting SELinux MAC in DrmManagerservice. Add drmservice class with verbs for each of the functions exposed by drmservice. Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e 2014-07-02 21:42:59 +02:00			`selinux_check_access(drmserver)`