tequilaOS/platform_system_sepolicy

Fork 0

Commit graph

Author	SHA1	Message	Date
Alex Klyubin	f86d54f0d1	No access to tee domain over Unix domain sockets The tee domain is a vendor domain. Thus it cannot be accessed by non-vendor components over Unix domain sockets. It appears that the rules granting this access are not needed. Test: Flash a clean build with this change. Confirm that bullhead, angler, sailfish, ryu, boot without new denials. Confirm that YouTube, Netflix, Google Play Movies play back videos without new denials. Bug: 36714625 Bug: 36715266 Change-Id: I639cecd07c9a3cfb257e62622b51b7823613472a	2017-04-03 11:26:01 -07:00
Alex Klyubin	9b718c409f	Switch DRM HAL policy to _client/_server This switches DRM HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of DRM HAL. Domains which are clients of DRM HAL, such as mediadrmserver domain, are granted rules targeting hal_drm only when the DRM HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_drm are not granted to client domains. Domains which offer a binderized implementation of DRM HAL, such as hal_drm_default domain, are always granted rules targeting hal_drm. Test: Play movie using Google Play Movies Test: Play movie using Netflix Bug: 34170079 Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9	2017-02-17 15:36:41 -08:00
Jeff Tinker	c86f42b9a7	Add sepolicy for drm HALs bug:32815560 Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f	2017-01-25 11:21:03 -08:00

Author

SHA1

Message

Date

Alex Klyubin

f86d54f0d1

No access to tee domain over Unix domain sockets

The tee domain is a vendor domain. Thus it cannot be accessed by
non-vendor components over Unix domain sockets.

It appears that the rules granting this access are not needed.

Test: Flash a clean build with this change. Confirm that bullhead,
      angler, sailfish, ryu, boot without new denials.
      Confirm that YouTube, Netflix, Google Play Movies play back
      videos without new denials.
Bug: 36714625
Bug: 36715266

Change-Id: I639cecd07c9a3cfb257e62622b51b7823613472a

2017-04-03 11:26:01 -07:00

Alex Klyubin

9b718c409f

Switch DRM HAL policy to _client/_server

This switches DRM HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of DRM HAL.

Domains which are clients of DRM HAL, such as mediadrmserver domain,
are granted rules targeting hal_drm only when the DRM HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting hal_drm
are not granted to client domains.

Domains which offer a binderized implementation of DRM HAL, such as
hal_drm_default domain, are always granted rules targeting hal_drm.

Test: Play movie using Google Play Movies
Test: Play movie using Netflix
Bug: 34170079
Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9

2017-02-17 15:36:41 -08:00

Jeff Tinker

c86f42b9a7

Add sepolicy for drm HALs

bug:32815560
Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f

2017-01-25 11:21:03 -08:00

3 commits