android_system_sepolicy/public/hal_drm.te

# HwBinder IPC from client to server, and callbacks
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)

hal_attribute_hwservice(hal_drm, hal_drm_hwservice)

allow hal_drm hidl_memory_hwservice:hwservice_manager find;

# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;

# Permit reading device's serial number from system properties
get_prop(hal_drm, serialno_prop)

# Read files already opened under /data
allow hal_drm system_data_file:file { getattr read };

# Read access to pseudo filesystems
r_dir_file(hal_drm, cgroup)
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file w_file_perms;

# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;

# Allow access to fds allocated by mediaserver
allow hal_drm mediaserver:fd use;

allow hal_drm sysfs:file r_file_perms;

allow hal_drm tee_device:chr_file rw_file_perms;

allow hal_drm_server { appdomain -isolated_app }:fd use;

# only allow unprivileged socket ioctl commands
allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

###
### neverallow rules
###

# hal_drm should never execute any executable without a
# domain transition
neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;

# do not allow privileged socket ioctl commands
neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
Switch DRM HAL policy to _client/_server This switches DRM HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of DRM HAL. Domains which are clients of DRM HAL, such as mediadrmserver domain, are granted rules targeting hal_drm only when the DRM HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_drm are not granted to client domains. Domains which offer a binderized implementation of DRM HAL, such as hal_drm_default domain, are always granted rules targeting hal_drm. Test: Play movie using Google Play Movies Test: Play movie using Netflix Bug: 34170079 Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9 2017-02-17 14:51:02 -08:00			`# HwBinder IPC from client to server, and callbacks`
			`binder_call(hal_drm_client, hal_drm_server)`
			`binder_call(hal_drm_server, hal_drm_client)`
Add sepolicy for drm HALs bug:32815560 Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f 2017-01-01 12:01:18 -08:00
hal_attribute_hwservice_client drop '_client' Since this attribute just associates a hal_attribute with a given hwservice in the standard way. Bug: 80319537 Test: boot + sanity + test for denials Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e 2018-06-06 09:30:18 -07:00			`hal_attribute_hwservice(hal_drm, hal_drm_hwservice)`
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31 2017-04-13 19:05:27 -07:00
			`allow hal_drm hidl_memory_hwservice:hwservice_manager find;`

Add sepolicy for drm HALs bug:32815560 Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f 2017-01-01 12:01:18 -08:00			`# Required by Widevine DRM (b/22990512)`
			`allow hal_drm self:process execmem;`

			`# Permit reading device's serial number from system properties`
			`get_prop(hal_drm, serialno_prop)`

			`# Read files already opened under /data`
			`allow hal_drm system_data_file:file { getattr read };`

			`# Read access to pseudo filesystems`
			`r_dir_file(hal_drm, cgroup)`
			`allow hal_drm cgroup:dir { search write };`
			`allow hal_drm cgroup:file w_file_perms;`

			`# Allow access to ion memory allocation device`
			`allow hal_drm ion_device:chr_file rw_file_perms;`
			`allow hal_drm hal_graphics_allocator:fd use;`

Allow DRM hal to access fd allocated by mediaserver Test: gts-tradefed run gts -m GtsMediaTestCases -t com.google.android.media.gts.MediaPlayerTest#testLLAMA_H264_BASELINE_240P_800_DOWNLOADED_V0_SYNC bug:37548390 Change-Id: I9c2d446118d3a5f729730b75ec117954e383159b 2017-04-25 12:31:43 -07:00			`# Allow access to fds allocated by mediaserver`
			`allow hal_drm mediaserver:fd use;`

Add sepolicy for drm HALs bug:32815560 Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f 2017-01-01 12:01:18 -08:00			`allow hal_drm sysfs:file r_file_perms;`

			`allow hal_drm tee_device:chr_file rw_file_perms;`

Give hal_drm_server appdomain fd access. Test: Build. Change-Id: I29f68964f4ae2ad2c3a00c96f57f48448d8b6dfb 2019-06-05 10:09:05 -07:00			`allow hal_drm_server { appdomain -isolated_app }:fd use;`

Add sepolicy for drm HALs bug:32815560 Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f 2017-01-01 12:01:18 -08:00			`# only allow unprivileged socket ioctl commands`
			`allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }`
			`ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };`

			`###`
			`### neverallow rules`
			`###`

			`# hal_drm should never execute any executable without a`
			`# domain transition`
Fix CTS regressions Commit 7688161 "hal__(client\|server) => hal(client\|server)domain" added neverallow rules on hal__client attributes while simultaneously expanding these attribute which causes them to fail CTS neverallow tests. Remove these neverallow rules as they do not impose specific security properties that we want to enforce. Modify Other neverallow failures which were imposed on hal_foo attributes and should have been enforced on hal_foo_server attributes instead. Bug: 69566734 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.cts.security.SELinuxNeverallowRulesTest CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed remaining failure appears to be caused by b/68133473 Test: build taimen-user/userdebug Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc 2017-11-20 21:43:25 -08:00			`neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;`
Add sepolicy for drm HALs bug:32815560 Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f 2017-01-01 12:01:18 -08:00
			`# do not allow privileged socket ioctl commands`
Fix CTS regressions Commit 7688161 "hal__(client\|server) => hal(client\|server)domain" added neverallow rules on hal__client attributes while simultaneously expanding these attribute which causes them to fail CTS neverallow tests. Remove these neverallow rules as they do not impose specific security properties that we want to enforce. Modify Other neverallow failures which were imposed on hal_foo attributes and should have been enforced on hal_foo_server attributes instead. Bug: 69566734 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.cts.security.SELinuxNeverallowRulesTest CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed remaining failure appears to be caused by b/68133473 Test: build taimen-user/userdebug Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc 2017-11-20 21:43:25 -08:00			`neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;`