Add fine grained access control to DrmManagerService.
Add policies supporting SELinux MAC in DrmManagerservice. Add drmservice class with verbs for each of the functions exposed by drmservice. Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
This commit is contained in:
parent
ba992496f0
commit
70f75ce9e5
5 changed files with 36 additions and 0 deletions
|
@ -921,3 +921,14 @@ class debuggerd
|
||||||
dump_tombstone
|
dump_tombstone
|
||||||
dump_backtrace
|
dump_backtrace
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class drmservice {
|
||||||
|
consumeRights
|
||||||
|
setPlaybackStatus
|
||||||
|
openDecryptSession
|
||||||
|
closeDecryptSession
|
||||||
|
initializeDecryptUnit
|
||||||
|
decrypt
|
||||||
|
finalizeDecryptUnit
|
||||||
|
pread
|
||||||
|
}
|
||||||
|
|
|
@ -54,3 +54,5 @@ auditallow drmserver {
|
||||||
-drmserver_service
|
-drmserver_service
|
||||||
-system_server_service
|
-system_server_service
|
||||||
}:service_manager find;
|
}:service_manager find;
|
||||||
|
|
||||||
|
selinux_check_access(drmserver)
|
||||||
|
|
|
@ -89,3 +89,15 @@ auditallow mediaserver {
|
||||||
-system_server_service
|
-system_server_service
|
||||||
-surfaceflinger_service
|
-surfaceflinger_service
|
||||||
}:service_manager find;
|
}:service_manager find;
|
||||||
|
|
||||||
|
use_drmservice(mediaserver)
|
||||||
|
allow mediaserver drmserver:drmservice {
|
||||||
|
consumeRights
|
||||||
|
setPlaybackStatus
|
||||||
|
openDecryptSession
|
||||||
|
closeDecryptSession
|
||||||
|
initializeDecryptUnit
|
||||||
|
decrypt
|
||||||
|
finalizeDecryptUnit
|
||||||
|
pread
|
||||||
|
};
|
||||||
|
|
|
@ -146,4 +146,5 @@ class keystore_key # userspace
|
||||||
# debuggerd service
|
# debuggerd service
|
||||||
class debuggerd # userspace
|
class debuggerd # userspace
|
||||||
|
|
||||||
|
class drmservice # userspace
|
||||||
# FLASK
|
# FLASK
|
||||||
|
|
10
te_macros
10
te_macros
|
@ -367,3 +367,13 @@ define(`use_keystore', `
|
||||||
define(`service_manager_local_audit_domain', `
|
define(`service_manager_local_audit_domain', `
|
||||||
typeattribute $1 service_manager_local_audit;
|
typeattribute $1 service_manager_local_audit;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
# use_drmservice(domain)
|
||||||
|
# Ability to use DrmService which requires
|
||||||
|
# DrmService to call getpidcon.
|
||||||
|
define(`use_drmservice', `
|
||||||
|
allow drmserver $1:dir search;
|
||||||
|
allow drmserver $1:file { read open };
|
||||||
|
allow drmserver $1:process getattr;
|
||||||
|
')
|
||||||
|
|
Loading…
Reference in a new issue