From 4968374205a6efba325a1f38fe4a2296e6ef4ab5 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Wed, 19 Jan 2022 23:34:37 -0800 Subject: [PATCH] Add sepolicy for DRM AIDL HAL Bug: 208486736 Test: atest VtsAidlHalDrmTargetTest Change-Id: Ia2b1488a564d94384d183d30291fbf5a6d2df4ab --- private/compat/32.0/32.0.ignore.cil | 1 + private/service_contexts | 2 ++ public/hal_drm.te | 2 ++ public/service.te | 1 + vendor/file_contexts | 1 + vendor/hal_drm_clearkey.te | 6 ++++++ 6 files changed, 13 insertions(+) create mode 100644 vendor/hal_drm_clearkey.te diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil index f995232d5..1d99b7c20 100644 --- a/private/compat/32.0/32.0.ignore.cil +++ b/private/compat/32.0/32.0.ignore.cil @@ -22,6 +22,7 @@ gesture_prop hal_contexthub_service hal_dice_service + hal_drm_service hal_dumpstate_service hal_graphics_allocator_service hal_graphics_composer_service diff --git a/private/service_contexts b/private/service_contexts index 606a01883..f1c24eae1 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -5,6 +5,8 @@ android.hardware.biometrics.face.IFace/default u:object_r: android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0 android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0 android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0 +android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0 +android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0 android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0 android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0 android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0 diff --git a/public/hal_drm.te b/public/hal_drm.te index bb1bd91e6..72fa308c1 100644 --- a/public/hal_drm.te +++ b/public/hal_drm.te @@ -1,8 +1,10 @@ # HwBinder IPC from client to server, and callbacks +binder_use(hal_drm_server) binder_call(hal_drm_client, hal_drm_server) binder_call(hal_drm_server, hal_drm_client) hal_attribute_hwservice(hal_drm, hal_drm_hwservice) +hal_attribute_service(hal_drm, hal_drm_service) allow hal_drm hidl_memory_hwservice:hwservice_manager find; diff --git a/public/service.te b/public/service.te index 23f144daa..297e47a47 100644 --- a/public/service.te +++ b/public/service.te @@ -268,6 +268,7 @@ type hal_audiocontrol_service, vendor_service, service_manager_type; type hal_authsecret_service, vendor_service, protected_service, service_manager_type; type hal_contexthub_service, vendor_service, protected_service, service_manager_type; type hal_dice_service, vendor_service, protected_service, service_manager_type; +type hal_drm_service, vendor_service, service_manager_type; type hal_dumpstate_service, vendor_service, protected_service, service_manager_type; type hal_face_service, vendor_service, protected_service, service_manager_type; type hal_fingerprint_service, vendor_service, protected_service, service_manager_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 9e19a6aca..762cf2089 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -32,6 +32,7 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.clearkey(-lazy)? u:object_r:hal_drm_clearkey_aidl_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0 diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te new file mode 100644 index 000000000..ab474d654 --- /dev/null +++ b/vendor/hal_drm_clearkey.te @@ -0,0 +1,6 @@ +type hal_drm_clearkey_aidl, domain; +type hal_drm_clearkey_aidl_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_clearkey_aidl) + +hal_server_domain(hal_drm_clearkey_aidl, hal_drm)