From 2356defaed57b6fd08ccbb7428f605c864bc33bb Mon Sep 17 00:00:00 2001 From: Alejandro Date: Sun, 14 Jun 2020 20:52:08 +0200 Subject: [PATCH] universal7870: rework drm sepolicy --- sepolicy/file.te | 4 ++++ sepolicy/file_contexts | 11 ++++++++++- sepolicy/hal_drm_clearkey.te | 10 ++++++++++ sepolicy/hal_drm_default.te | 4 ++-- sepolicy/hal_drm_widevine.te | 23 +++++++++++++++++++++++ sepolicy/init.te | 2 ++ 6 files changed, 51 insertions(+), 3 deletions(-) create mode 100644 sepolicy/hal_drm_clearkey.te create mode 100644 sepolicy/hal_drm_widevine.te diff --git a/sepolicy/file.te b/sepolicy/file.te index a83dd66..20a467a 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -51,11 +51,15 @@ type sysfs_sswap, sysfs_type, fs_type, mlstrustedobject; ### data types type biometrics_vendor_data_file, file_type, data_file_type; +type camera_vendor_data_file, file_type, data_file_type; type conn_vendor_data_file, file_type, data_file_type; type display_vendor_data_file, file_type, data_file_type; +type gk_vendor_data_file, file_type, data_file_type; type gps_vendor_data_file, file_type, data_file_type; type log_vendor_data_file, file_type, data_file_type; type log_cbd_vendor_data_file, file_type, data_file_type; +type media_vendor_data_file, file_type, data_file_type; +type mediadrm_vendor_data_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; type sswap_vendor_data_file, file_type, data_file_type; type wifi_vendor_data_file, file_type, data_file_type; \ No newline at end of file diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index d5a56cc..566b5e1 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -87,7 +87,6 @@ /data/\.cid\.info u:object_r:wifi_data_file:s0 /data/misc/conn/\.wifiver\.info u:object_r:wifi_data_file:s0 /data/misc/radio(/.*)? u:object_r:radio_data_file:s0 -/data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0 # gps /data/system/gps(/.*)? u:object_r:gps_data_file:s0 @@ -109,6 +108,13 @@ /data/vendor/log/cbd(/.*)? u:object_r:log_cbd_vendor_data_file:s0 /data/vendor/secradio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 +/data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0 +/data/vendor/media(/.*)? u:object_r:media_vendor_data_file:s0 +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 +/data/vendor/gk(/.*)? u:object_r:gk_vendor_data_file:s0 +/data/camera(/.*)? u:object_r:camera_data_file:s0 + #################################### # sysfs files #/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0 @@ -202,6 +208,9 @@ /(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-exynos u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung u:object_r:hal_lineage_touch_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.widevine u:object_r:hal_drm_widevine_exec:s0 + /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos u:object_r:hal_power_default_exec:s0 diff --git a/sepolicy/hal_drm_clearkey.te b/sepolicy/hal_drm_clearkey.te new file mode 100644 index 0000000..64b5d41 --- /dev/null +++ b/sepolicy/hal_drm_clearkey.te @@ -0,0 +1,10 @@ +# hal_drm_clearkey.te + +type hal_drm_clearkey, domain; +hal_server_domain(hal_drm_clearkey, hal_drm) + +type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_drm_clearkey) + +hwbinder_use(hal_drm_clearkey) +get_prop(hal_drm_clearkey, hwservicemanager_prop) diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te index 604f69e..af689d4 100644 --- a/sepolicy/hal_drm_default.te +++ b/sepolicy/hal_drm_default.te @@ -6,5 +6,5 @@ allow hal_drm_default tee:unix_stream_socket connectto; allow hal_drm_default efs_file:dir search; allow hal_drm_default cpk_efs_file:file r_file_perms; -# allow hal_drm_default media_data_vendor_file:file create_file_perms; -# allow hal_drm_default media_data_vendor_file:dir create_dir_perms; +allow hal_drm_default media_vendor_data_file:file create_file_perms; +allow hal_drm_default media_vendor_data_file:dir create_dir_perms; diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te new file mode 100644 index 0000000..eca9731 --- /dev/null +++ b/sepolicy/hal_drm_widevine.te @@ -0,0 +1,23 @@ +# hal_drm_widevine.te +type hal_drm_widevine, domain; +hal_server_domain(hal_drm_widevine, hal_drm) + +type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_drm_widevine) + +allow hal_drm_widevine mediacodec:fd use; +allow hal_drm_widevine { appdomain -isolated_app }:fd use; + +# /data/vendor/mediadrm/ +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; + +# /dev/s5p-smem +allow hal_drm_widevine secmem_device:chr_file rw_file_perms; + +# /dev/tzdev +#allow hal_drm_widevine tz_user_device:chr_file rw_file_perms; + +# /efs/wv.keys +allow hal_drm_widevine efs_file:dir search; +allow hal_drm_widevine sec_efs_file:file r_file_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te index a6114dc..79f9467 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -93,3 +93,5 @@ allow init proc_sec:file { rw_file_perms setattr }; # Sockets allow init socket_device:sock_file { read write getattr setattr create unlink }; + +# allow init hal_drm_hwservice:hwservice_manager add;