Add sepolicy for DRM AIDL HAL

Bug: 208486736 Test: atest VtsAidlHalDrmTargetTest Change-Id: Ia2b1488a564d94384d183d30291fbf5a6d2df4ab
2022-01-19 23:34:37 -08:00 · 2022-01-19 23:34:37 -08:00 · 4968374205
commit 4968374205
parent 6003019fa8
6 changed files with 13 additions and 0 deletions
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@ -22,6 +22,7 @@
    gesture_prop
    hal_contexthub_service
    hal_dice_service
+    hal_drm_service
    hal_dumpstate_service
    hal_graphics_allocator_service
    hal_graphics_composer_service
--- a/private/service_contexts
+++ b/private/service_contexts
@ -5,6 +5,8 @@ android.hardware.biometrics.face.IFace/default                       u:object_r:
 android.hardware.biometrics.fingerprint.IFingerprint/default         u:object_r:hal_fingerprint_service:s0
 android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
 android.hardware.contexthub.IContextHub/default                      u:object_r:hal_contexthub_service:s0
+android.hardware.drm.IDrmFactory/clearkey                            u:object_r:hal_drm_service:s0
+android.hardware.drm.ICryptoFactory/clearkey                         u:object_r:hal_drm_service:s0
 android.hardware.dumpstate.IDumpstateDevice/default                  u:object_r:hal_dumpstate_service:s0
 android.hardware.gnss.IGnss/default                                  u:object_r:hal_gnss_service:s0
 android.hardware.graphics.allocator.IAllocator/default               u:object_r:hal_graphics_allocator_service:s0
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@ -1,8 +1,10 @@
 # HwBinder IPC from client to server, and callbacks
+binder_use(hal_drm_server)
 binder_call(hal_drm_client, hal_drm_server)
 binder_call(hal_drm_server, hal_drm_client)

 hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
+hal_attribute_service(hal_drm, hal_drm_service)

 allow hal_drm hidl_memory_hwservice:hwservice_manager find;

--- a/public/service.te
+++ b/public/service.te
@ -268,6 +268,7 @@ type hal_audiocontrol_service, vendor_service, service_manager_type;
 type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
 type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
 type hal_dice_service, vendor_service, protected_service, service_manager_type;
+type hal_drm_service, vendor_service, service_manager_type;
 type hal_dumpstate_service, vendor_service, protected_service, service_manager_type;
 type hal_face_service, vendor_service, protected_service, service_manager_type;
 type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -32,6 +32,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example    u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy       u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.clearkey(-lazy)? u:object_r:hal_drm_clearkey_aidl_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service            u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy       u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example      u:object_r:hal_dumpstate_default_exec:s0
--- a/vendor/hal_drm_clearkey.te
+++ b/vendor/hal_drm_clearkey.te
@ -0,0 +1,6 @@
+type hal_drm_clearkey_aidl, domain;
+type hal_drm_clearkey_aidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_clearkey_aidl)
+
+hal_server_domain(hal_drm_clearkey_aidl, hal_drm)