Add fine grained access control to DrmManagerService.
Add policies supporting SELinux MAC in DrmManagerservice. Add drmservice class with verbs for each of the functions exposed by drmservice. Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
This commit is contained in:
parent
ba992496f0
commit
70f75ce9e5
5 changed files with 36 additions and 0 deletions
|
@ -921,3 +921,14 @@ class debuggerd
|
|||
dump_tombstone
|
||||
dump_backtrace
|
||||
}
|
||||
|
||||
class drmservice {
|
||||
consumeRights
|
||||
setPlaybackStatus
|
||||
openDecryptSession
|
||||
closeDecryptSession
|
||||
initializeDecryptUnit
|
||||
decrypt
|
||||
finalizeDecryptUnit
|
||||
pread
|
||||
}
|
||||
|
|
|
@ -54,3 +54,5 @@ auditallow drmserver {
|
|||
-drmserver_service
|
||||
-system_server_service
|
||||
}:service_manager find;
|
||||
|
||||
selinux_check_access(drmserver)
|
||||
|
|
|
@ -89,3 +89,15 @@ auditallow mediaserver {
|
|||
-system_server_service
|
||||
-surfaceflinger_service
|
||||
}:service_manager find;
|
||||
|
||||
use_drmservice(mediaserver)
|
||||
allow mediaserver drmserver:drmservice {
|
||||
consumeRights
|
||||
setPlaybackStatus
|
||||
openDecryptSession
|
||||
closeDecryptSession
|
||||
initializeDecryptUnit
|
||||
decrypt
|
||||
finalizeDecryptUnit
|
||||
pread
|
||||
};
|
||||
|
|
|
@ -146,4 +146,5 @@ class keystore_key # userspace
|
|||
# debuggerd service
|
||||
class debuggerd # userspace
|
||||
|
||||
class drmservice # userspace
|
||||
# FLASK
|
||||
|
|
10
te_macros
10
te_macros
|
@ -367,3 +367,13 @@ define(`use_keystore', `
|
|||
define(`service_manager_local_audit_domain', `
|
||||
typeattribute $1 service_manager_local_audit;
|
||||
')
|
||||
|
||||
###########################################
|
||||
# use_drmservice(domain)
|
||||
# Ability to use DrmService which requires
|
||||
# DrmService to call getpidcon.
|
||||
define(`use_drmservice', `
|
||||
allow drmserver $1:dir search;
|
||||
allow drmserver $1:file { read open };
|
||||
allow drmserver $1:process getattr;
|
||||
')
|
||||
|
|
Loading…
Reference in a new issue