From 3a0721a38fc45a4f41968ddfc97ed3a4494cfe5e Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Sat, 1 Oct 2016 05:26:15 -0700
Subject: [PATCH] mediaserver drmserver: remove domain_deprecated attribute

avc: granted { use } for pid=3067 comm="SoundPoolThread"
scontext=u:r:drmserver:s0 tcontext=u:r:system_server:s0 tclass=fd

Test: builds/boots on Angler. Adds permissions for all "granted" avc
messages observed in three months of log auditing.

Bug: 28760354
Change-Id: I51f13d7c7d40f479b1241dfcd5d925d28f74926b
---
 domain_deprecated.te | 18 +++++++++---------
 drmserver.te         |  4 +++-
 mediaserver.te       |  4 ++--
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/domain_deprecated.te b/domain_deprecated.te
index 50249fe79..c363a6c46 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -14,7 +14,7 @@ auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system
 
 # Inherit or receive open files from others.
 allow domain_deprecated system_server:fd use;
-auditallow { domain_deprecated -appdomain -mediaserver -netd -surfaceflinger } system_server:fd use;
+auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
 
 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.
@@ -41,9 +41,9 @@ auditallow domain_deprecated device:file read;
 allow domain_deprecated system_file:dir r_dir_perms;
 allow domain_deprecated system_file:file r_file_perms;
 allow domain_deprecated system_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:file { ioctl lock }; # read open getattr in domain
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:lnk_file { getattr open ioctl lock }; # read in domain
+auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:dir { open read ioctl lock }; # search getattr in domain
+auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:file { ioctl lock }; # read open getattr in domain
+auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:lnk_file { getattr open ioctl lock }; # read in domain
 
 # Read files already opened under /data.
 allow domain_deprecated system_data_file:file { getattr read };
@@ -78,7 +78,7 @@ auditallow { domain_deprecated -init -system_server -vold } cache_file:lnk_file
 allow domain_deprecated ion_device:chr_file rw_file_perms;
 # split this auditallow into read and write perms since most domains seem to
 # only require read
-auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -keystore -mediaserver -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
 auditallow domain_deprecated ion_device:chr_file { write append };
 
 # Read access to pseudo filesystems.
@@ -96,8 +96,8 @@ auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -pr
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 auditallow domain_deprecated inotify:dir r_dir_perms;
 auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
@@ -105,8 +105,8 @@ auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vol
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
 allow domain_deprecated selinuxfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
 
 # World readable asec image contents
 allow domain_deprecated asec_public_file:file r_file_perms;
diff --git a/drmserver.te b/drmserver.te
index 06f186540..d0adf4615 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,5 +1,5 @@
 # drmserver - DRM service
-type drmserver, domain, domain_deprecated;
+type drmserver, domain;
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
@@ -12,6 +12,8 @@ binder_use(drmserver)
 binder_call(drmserver, system_server)
 binder_call(drmserver, { appdomain autoplay_app })
 binder_service(drmserver)
+# Inherit or receive open files from system_server.
+allow drmserver system_server:fd use;
 
 # Perform Binder IPC to mediaserver
 binder_call(drmserver, mediaserver)
diff --git a/mediaserver.te b/mediaserver.te
index d6b68d27e..e55c778e9 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,5 +1,5 @@
 # mediaserver - multimedia daemon
-type mediaserver, domain, domain_deprecated;
+type mediaserver, domain;
 type mediaserver_exec, exec_type, file_type;
 
 typeattribute mediaserver mlstrustedsubject;
@@ -8,7 +8,7 @@ net_domain(mediaserver)
 init_daemon_domain(mediaserver)
 
 r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaserver, cgroup)
 
 # stat /proc/self
 allow mediaserver proc:lnk_file getattr;
-- 
GitLab