9b718c409f
This switches DRM HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of DRM HAL. Domains which are clients of DRM HAL, such as mediadrmserver domain, are granted rules targeting hal_drm only when the DRM HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_drm are not granted to client domains. Domains which offer a binderized implementation of DRM HAL, such as hal_drm_default domain, are always granted rules targeting hal_drm. Test: Play movie using Google Play Movies Test: Play movie using Netflix Bug: 34170079 Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9
54 lines
1.8 KiB
Text
54 lines
1.8 KiB
Text
# HwBinder IPC from client to server, and callbacks
|
|
binder_call(hal_drm_client, hal_drm_server)
|
|
binder_call(hal_drm_server, hal_drm_client)
|
|
|
|
# Required by Widevine DRM (b/22990512)
|
|
allow hal_drm self:process execmem;
|
|
|
|
# Permit reading device's serial number from system properties
|
|
get_prop(hal_drm, serialno_prop)
|
|
|
|
# System file accesses
|
|
allow hal_drm system_file:dir r_dir_perms;
|
|
allow hal_drm system_file:file r_file_perms;
|
|
allow hal_drm system_file:lnk_file r_file_perms;
|
|
|
|
# Read files already opened under /data
|
|
allow hal_drm system_data_file:dir { search getattr };
|
|
allow hal_drm system_data_file:file { getattr read };
|
|
allow hal_drm system_data_file:lnk_file r_file_perms;
|
|
|
|
# Read access to pseudo filesystems
|
|
r_dir_file(hal_drm, cgroup)
|
|
allow hal_drm cgroup:dir { search write };
|
|
allow hal_drm cgroup:file w_file_perms;
|
|
|
|
# Allow access to ion memory allocation device
|
|
allow hal_drm ion_device:chr_file rw_file_perms;
|
|
allow hal_drm hal_graphics_allocator:fd use;
|
|
|
|
# Allow access to app_data and media_data_files
|
|
allow hal_drm media_data_file:dir create_dir_perms;
|
|
allow hal_drm media_data_file:file create_file_perms;
|
|
allow hal_drm media_data_file:file { getattr read };
|
|
|
|
allow hal_drm sysfs:file r_file_perms;
|
|
|
|
# Connect to tee service.
|
|
allow hal_drm tee:unix_stream_socket connectto;
|
|
allow hal_drm tee_device:chr_file rw_file_perms;
|
|
|
|
# only allow unprivileged socket ioctl commands
|
|
allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
|
|
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# hal_drm should never execute any executable without a
|
|
# domain transition
|
|
neverallow hal_drm { file_type fs_type }:file execute_no_trans;
|
|
|
|
# do not allow privileged socket ioctl commands
|
|
neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|