3fbc536dfd
Addresses denials such as:
avc: denied { read } for pid=5114 comm="le.android.talk" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
avc: denied { getattr } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
avc: denied { read } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:drmserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
avc: denied { getattr } for pid=9338 comm="MediaLoader" path="/data/data/com.android.providers.telephony/app_parts/PART_1394848620510_image.jpg" dev="mmcblk0p28" ino=287374 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
avc: denied { read } for pid=9896 comm="Binder_7" path="/data/data/com.android.providers.telephony/app_parts/PART_1394594346187_image.jpg" dev="mmcblk0p28" ino=287522 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
This does not allow write denials such as:
avc: denied { write } for pid=1728 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394818738798_image.jpg" dev="mmcblk0p28" ino=82279 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
Need to understand whether write access is in fact required.
Change-Id: I7693d16cb4f9855909d790d3f16f8bf281764468
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
46 lines
1.6 KiB
Text
46 lines
1.6 KiB
Text
# drmserver - DRM service
|
|
type drmserver, domain;
|
|
type drmserver_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(drmserver)
|
|
typeattribute drmserver mlstrustedsubject;
|
|
|
|
net_domain(drmserver)
|
|
|
|
# Perform Binder IPC to system server.
|
|
binder_use(drmserver)
|
|
binder_call(drmserver, system_server)
|
|
binder_call(drmserver, appdomain)
|
|
binder_service(drmserver)
|
|
|
|
# Perform Binder IPC to mediaserver
|
|
binder_call(drmserver, mediaserver)
|
|
|
|
allow drmserver sdcard_type:dir search;
|
|
allow drmserver drm_data_file:dir create_dir_perms;
|
|
allow drmserver drm_data_file:file create_file_perms;
|
|
allow drmserver tee_device:chr_file rw_file_perms;
|
|
allow drmserver app_data_file:file { read write getattr };
|
|
allow drmserver sdcard_type:file { read write getattr };
|
|
r_dir_file(drmserver, efs_file)
|
|
|
|
type drmserver_socket, file_type;
|
|
|
|
# /data/app/tlcd_sock socket file.
|
|
# Clearly, /data/app is the most logical place to create a socket. Not.
|
|
allow drmserver apk_data_file:dir rw_dir_perms;
|
|
type_transition drmserver apk_data_file:sock_file drmserver_socket;
|
|
allow drmserver drmserver_socket:sock_file create_file_perms;
|
|
allow drmserver tee:unix_stream_socket connectto;
|
|
# Delete old socket file if present.
|
|
allow drmserver apk_data_file:sock_file unlink;
|
|
|
|
# After taking a video, drmserver looks at the video file.
|
|
r_dir_file(drmserver, media_rw_data_file)
|
|
|
|
# Read resources from open apk files passed over Binder.
|
|
allow drmserver apk_data_file:file { read getattr };
|
|
allow drmserver asec_apk_file:file { read getattr };
|
|
|
|
# Read /data/data/com.android.providers.telephony files passed over Binder.
|
|
allow drmserver radio_data_file:file { read getattr };
|