From 0d5bac13e1a98a942689f3b2183ed6f7ff66b976 Mon Sep 17 00:00:00 2001
From: Jeff Tinker <jtinker@google.com>
Date: Fri, 12 Feb 2016 09:05:42 -0800
Subject: [PATCH] Add mediadrm service

Part of media security hardening

This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.

bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2
---
 file_contexts     |  1 +
 mediadrmserver.te | 63 +++++++++++++++++++++++++++++++++++++++++++++++
 service.te        |  1 +
 service_contexts  |  1 +
 system_server.te  |  8 +++++-
 untrusted_app.te  |  1 +
 6 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 mediadrmserver.te

diff --git a/file_contexts b/file_contexts
index 94702b45d..56ed390e1 100644
--- a/file_contexts
+++ b/file_contexts
@@ -165,6 +165,7 @@
 /system/bin/netd	u:object_r:netd_exec:s0
 /system/bin/rild	u:object_r:rild_exec:s0
 /system/bin/audioserver	u:object_r:audioserver_exec:s0
+/system/bin/mediadrmserver	u:object_r:mediadrmserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
diff --git a/mediadrmserver.te b/mediadrmserver.te
new file mode 100644
index 000000000..f4b5eccea
--- /dev/null
+++ b/mediadrmserver.te
@@ -0,0 +1,63 @@
+# mediadrmserver - mediadrm daemon
+type mediadrmserver, domain;
+type mediadrmserver_exec, exec_type, file_type;
+
+typeattribute mediadrmserver mlstrustedsubject;
+
+net_domain(mediadrmserver)
+init_daemon_domain(mediadrmserver)
+
+binder_use(mediadrmserver)
+binder_call(mediadrmserver, binderservicedomain)
+binder_call(mediadrmserver, appdomain)
+binder_service(mediadrmserver)
+
+# Required by Widevine DRM (b/22990512)
+allow mediadrmserver self:process execmem;
+
+# System file accesses.
+allow mediadrmserver system_file:dir r_dir_perms;
+allow mediadrmserver system_file:file r_file_perms;
+allow mediadrmserver system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data.
+allow mediadrmserver system_data_file:dir { search getattr };
+allow mediadrmserver system_data_file:file { getattr read };
+allow mediadrmserver system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(mediadrmserver, cgroup)
+allow mediadrmserver cgroup:dir { search write };
+allow mediadrmserver cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow mediadrmserver ion_device:chr_file rw_file_perms;
+
+# Allow access to app_data and media_data_files
+allow mediadrmserver media_data_file:dir create_dir_perms;
+allow mediadrmserver media_data_file:file create_file_perms;
+
+allow mediadrmserver tee_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow mediadrmserver sysfs:file r_file_perms;
+
+# Connect to tee service.
+allow mediadrmserver tee:unix_stream_socket connectto;
+
+allow mediadrmserver mediadrmserver_service:service_manager { add find };
+allow mediadrmserver mediaserver_service:service_manager { add find };
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/service.te b/service.te
index 24118ff1a..34bd50a95 100644
--- a/service.te
+++ b/service.te
@@ -11,6 +11,7 @@ type keystore_service,          service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
+type mediadrmserver_service,    service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
diff --git a/service_contexts b/service_contexts
index fe5808219..39e004c3a 100644
--- a/service_contexts
+++ b/service_contexts
@@ -72,6 +72,7 @@ media.codec                               u:object_r:mediacodec_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
 media.radio                               u:object_r:audioserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
+media.drm                                 u:object_r:mediadrmserver_service:s0
 media_projection                          u:object_r:media_projection_service:s0
 media_resource_monitor                    u:object_r:media_session_service:s0
 media_router                              u:object_r:media_router_service:s0
diff --git a/system_server.te b/system_server.te
index dbe93e47b..2e131b34f 100644
--- a/system_server.te
+++ b/system_server.te
@@ -139,12 +139,13 @@ binder_call(system_server, dumpstate)
 binder_service(system_server)
 
 # Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { audioserver cameraserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { audioserver cameraserver mediaserver mediacodec mediadrmserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
 
 # Read /proc/pid files for dumping stack traces of native processes.
 r_dir_file(system_server, audioserver)
 r_dir_file(system_server, cameraserver)
 r_dir_file(system_server, mediaserver)
+r_dir_file(system_server, mediadrmserver)
 r_dir_file(system_server, mediaextractor)
 r_dir_file(system_server, mediacodec)
 r_dir_file(system_server, sdcardd)
@@ -157,6 +158,10 @@ allow system_server audioserver:udp_socket rw_socket_perms;
 allow system_server mediaserver:tcp_socket rw_socket_perms;
 allow system_server mediaserver:udp_socket rw_socket_perms;
 
+# Use sockets received over binder from various services.
+allow system_server mediadrmserver:tcp_socket rw_socket_perms;
+allow system_server mediadrmserver:udp_socket rw_socket_perms;
+
 # Check SELinux permissions.
 selinux_check_access(system_server)
 
@@ -390,6 +395,7 @@ allow system_server fingerprintd_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
+allow system_server mediadrmserver_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };
diff --git a/untrusted_app.te b/untrusted_app.te
index 2d85bfcea..30364b035 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -73,6 +73,7 @@ allow untrusted_app healthd_service:service_manager find;
 allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app mediaextractor_service:service_manager find;
 allow untrusted_app mediacodec_service:service_manager find;
+allow untrusted_app mediadrmserver_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
-- 
GitLab