platform_system_sepolicy/public/hal_drm.te

## call into system_server process (for invoking callbacks)
binder_call(hal_drm, mediadrmserver)

# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;

# Permit reading device's serial number from system properties
get_prop(hal_drm, serialno_prop)

# System file accesses
allow hal_drm system_file:dir r_dir_perms;
allow hal_drm system_file:file r_file_perms;
allow hal_drm system_file:lnk_file r_file_perms;

# Read files already opened under /data
allow hal_drm system_data_file:dir { search getattr };
allow hal_drm system_data_file:file { getattr read };
allow hal_drm system_data_file:lnk_file r_file_perms;

# Read access to pseudo filesystems
r_dir_file(hal_drm, cgroup)
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file w_file_perms;

# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;

# Allow access to app_data and media_data_files
allow hal_drm media_data_file:dir create_dir_perms;
allow hal_drm media_data_file:file create_file_perms;
allow hal_drm media_data_file:file { getattr read };

allow hal_drm sysfs:file r_file_perms;

# Connect to tee service.
allow hal_drm tee:unix_stream_socket connectto;
allow hal_drm tee_device:chr_file rw_file_perms;

# only allow unprivileged socket ioctl commands
allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

###
### neverallow rules
###

# hal_drm should never execute any executable without a
# domain transition
neverallow hal_drm { file_type fs_type }:file execute_no_trans;

# do not allow privileged socket ioctl commands
neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
Add sepolicy for drm HALs bug:32815560 Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f 2017-01-01 21:01:18 +01:00			`## call into system_server process (for invoking callbacks)`
			`binder_call(hal_drm, mediadrmserver)`

			`# Required by Widevine DRM (b/22990512)`
			`allow hal_drm self:process execmem;`

			`# Permit reading device's serial number from system properties`
			`get_prop(hal_drm, serialno_prop)`

			`# System file accesses`
			`allow hal_drm system_file:dir r_dir_perms;`
			`allow hal_drm system_file:file r_file_perms;`
			`allow hal_drm system_file:lnk_file r_file_perms;`

			`# Read files already opened under /data`
			`allow hal_drm system_data_file:dir { search getattr };`
			`allow hal_drm system_data_file:file { getattr read };`
			`allow hal_drm system_data_file:lnk_file r_file_perms;`

			`# Read access to pseudo filesystems`
			`r_dir_file(hal_drm, cgroup)`
			`allow hal_drm cgroup:dir { search write };`
			`allow hal_drm cgroup:file w_file_perms;`

			`# Allow access to ion memory allocation device`
			`allow hal_drm ion_device:chr_file rw_file_perms;`
			`allow hal_drm hal_graphics_allocator:fd use;`

			`# Allow access to app_data and media_data_files`
			`allow hal_drm media_data_file:dir create_dir_perms;`
			`allow hal_drm media_data_file:file create_file_perms;`
			`allow hal_drm media_data_file:file { getattr read };`

			`allow hal_drm sysfs:file r_file_perms;`

			`# Connect to tee service.`
			`allow hal_drm tee:unix_stream_socket connectto;`
			`allow hal_drm tee_device:chr_file rw_file_perms;`

			`# only allow unprivileged socket ioctl commands`
			`allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }`
			`ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };`

			`###`
			`### neverallow rules`
			`###`

			`# hal_drm should never execute any executable without a`
			`# domain transition`
			`neverallow hal_drm { file_type fs_type }:file execute_no_trans;`

			`# do not allow privileged socket ioctl commands`
			`neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;`