From 3b2684887e900f9e0e246f9faa575b0d8a8a3fa0 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 29 Oct 2013 14:42:35 -0400
Subject: [PATCH] Confine drmserver, but leave it permissive for now.

Change-Id: I8f344dda3ab9766b4a72c404061f242e054129cd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 drmserver.te | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/drmserver.te b/drmserver.te
index 8727bc175..b465430ca 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,6 +1,36 @@
 # drmserver - DRM service
 type drmserver, domain;
+permissive drmserver;
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
-unconfined_domain(drmserver)
+typeattribute drmserver mlstrustedsubject;
+
+# Perform Binder IPC to system server.
+binder_use(drmserver)
+binder_call(drmserver, system_server)
+binder_call(drmserver, appdomain)
+binder_service(drmserver)
+
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
+allow drmserver sdcard_type:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
+allow drmserver self:{ tcp_socket udp_socket } *;
+allow drmserver port:tcp_socket name_connect;
+allow drmserver tee_device:chr_file rw_file_perms;
+allow drmserver platform_app_data_file:file { read write getattr };
+allow drmserver { app_data_file asec_apk_file }:file { read write getattr };
+allow drmserver sdcard_type:file { read write getattr };
+allow drmserver efs_file:file { open read getattr };
+
+type drmserver_socket, file_type;
+
+# /data/app/tlcd_sock socket file.
+# Clearly, /data/app is the most logical place to create a socket.  Not.
+allow drmserver apk_data_file:dir rw_dir_perms;
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
+allow drmserver drmserver_socket:sock_file create_file_perms;
+allow drmserver tee:unix_stream_socket connectto;
-- 
GitLab