Add fine grained access control to DrmManagerService.

Add policies supporting SELinux MAC in DrmManagerservice.
Add drmservice class with verbs for each of the
functions exposed by drmservice.

Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
This commit is contained in:
Riley Spahn 2014-07-02 12:42:59 -07:00
parent ba992496f0
commit 70f75ce9e5
5 changed files with 36 additions and 0 deletions

View file

@ -921,3 +921,14 @@ class debuggerd
dump_tombstone
dump_backtrace
}
class drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
}

View file

@ -54,3 +54,5 @@ auditallow drmserver {
-drmserver_service
-system_server_service
}:service_manager find;
selinux_check_access(drmserver)

View file

@ -89,3 +89,15 @@ auditallow mediaserver {
-system_server_service
-surfaceflinger_service
}:service_manager find;
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
};

View file

@ -146,4 +146,5 @@ class keystore_key # userspace
# debuggerd service
class debuggerd # userspace
class drmservice # userspace
# FLASK

View file

@ -367,3 +367,13 @@ define(`use_keystore', `
define(`service_manager_local_audit_domain', `
typeattribute $1 service_manager_local_audit;
')
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
# DrmService to call getpidcon.
define(`use_drmservice', `
allow drmserver $1:dir search;
allow drmserver $1:file { read open };
allow drmserver $1:process getattr;
')