2012-01-04 09:33:27 -08:00
|
|
|
# drmserver - DRM service
|
2016-10-01 05:26:15 -07:00
|
|
|
type drmserver, domain;
|
2018-09-27 10:21:37 -07:00
|
|
|
type drmserver_exec, system_file_type, exec_type, file_type;
|
2012-01-04 09:33:27 -08:00
|
|
|
|
2013-10-29 11:42:35 -07:00
|
|
|
typeattribute drmserver mlstrustedsubject;
|
|
|
|
|
|
2014-02-24 12:06:11 -08:00
|
|
|
net_domain(drmserver)
|
|
|
|
|
|
2013-10-29 11:42:35 -07:00
|
|
|
# Perform Binder IPC to system server.
|
|
|
|
|
binder_use(drmserver)
|
|
|
|
|
binder_call(drmserver, system_server)
|
2017-01-19 10:56:18 -08:00
|
|
|
binder_call(drmserver, appdomain)
|
2019-08-22 00:16:06 -07:00
|
|
|
binder_call(drmserver, mediametrics)
|
2013-10-29 11:42:35 -07:00
|
|
|
binder_service(drmserver)
|
2016-10-01 05:26:15 -07:00
|
|
|
# Inherit or receive open files from system_server.
|
|
|
|
|
allow drmserver system_server:fd use;
|
2013-10-29 11:42:35 -07:00
|
|
|
|
|
|
|
|
# Perform Binder IPC to mediaserver
|
|
|
|
|
binder_call(drmserver, mediaserver)
|
|
|
|
|
|
|
|
|
|
allow drmserver sdcard_type:dir search;
|
|
|
|
|
allow drmserver drm_data_file:dir create_dir_perms;
|
|
|
|
|
allow drmserver drm_data_file:file create_file_perms;
|
2018-08-13 10:31:58 -07:00
|
|
|
allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
|
|
|
|
|
allow drmserver sdcard_type:file { read write getattr map };
|
2014-01-31 13:20:20 -08:00
|
|
|
r_dir_file(drmserver, efs_file)
|
2013-10-29 11:42:35 -07:00
|
|
|
|
2014-02-04 13:49:01 -08:00
|
|
|
type drmserver_socket, file_type;
|
|
|
|
|
|
|
|
|
|
# /data/app/tlcd_sock socket file.
|
|
|
|
|
# Clearly, /data/app is the most logical place to create a socket. Not.
|
|
|
|
|
allow drmserver apk_data_file:dir rw_dir_perms;
|
|
|
|
|
allow drmserver drmserver_socket:sock_file create_file_perms;
|
|
|
|
|
# Delete old socket file if present.
|
|
|
|
|
allow drmserver apk_data_file:sock_file unlink;
|
2014-01-06 12:39:19 -08:00
|
|
|
|
|
|
|
|
# After taking a video, drmserver looks at the video file.
|
|
|
|
|
r_dir_file(drmserver, media_rw_data_file)
|
2014-03-13 12:35:46 -07:00
|
|
|
|
|
|
|
|
# Read resources from open apk files passed over Binder.
|
2018-08-13 10:31:58 -07:00
|
|
|
allow drmserver apk_data_file:file { read getattr map };
|
|
|
|
|
allow drmserver asec_apk_file:file { read getattr map };
|
|
|
|
|
allow drmserver ringtone_file:file { read getattr map };
|
2014-03-27 06:45:26 -07:00
|
|
|
|
|
|
|
|
# Read /data/data/com.android.providers.telephony files passed over Binder.
|
2018-08-13 10:31:58 -07:00
|
|
|
allow drmserver radio_data_file:file { read getattr map };
|
2014-06-05 15:52:02 -07:00
|
|
|
|
2014-09-16 10:00:50 -07:00
|
|
|
# /oem access
|
2014-10-10 16:11:03 -07:00
|
|
|
allow drmserver oemfs:dir search;
|
2014-09-16 10:00:50 -07:00
|
|
|
allow drmserver oemfs:file r_file_perms;
|
2014-09-16 13:04:06 -07:00
|
|
|
|
2017-01-19 13:23:52 -08:00
|
|
|
add_service(drmserver, drmserver_service)
|
2015-04-08 13:04:59 -07:00
|
|
|
allow drmserver permission_service:service_manager find;
|
2019-08-22 00:16:06 -07:00
|
|
|
allow drmserver mediametrics_service:service_manager find;
|
2015-03-03 11:20:15 -08:00
|
|
|
|
2014-07-02 12:42:59 -07:00
|
|
|
selinux_check_access(drmserver)
|
2016-09-09 16:27:17 -07:00
|
|
|
|
|
|
|
|
r_dir_file(drmserver, cgroup)
|
|
|
|
|
r_dir_file(drmserver, system_file)
|
