From 5bfda51eeb8074104cd64bc8c304ae4350f7ad06 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Wed, 25 Jan 2017 15:27:27 -0800
Subject: [PATCH] Remove hal_drm from mediadrmserver domain

HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

This reverts the moving of rules out of mediadrmserver in commit
c86f42b9a75a65e7b4651dd68d919a35dc30cf79.

Test: YouTube videos play back, no mediadrmserver denials
Bug: 34715716
Bug: 32815560
Change-Id: Ib57ef880bcc306c6e01f2c24c0f3a4298598eb9a
---
 public/mediadrmserver.te | 63 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 60 insertions(+), 3 deletions(-)

diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index c695432b1..781229b72 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -16,6 +16,63 @@ allow mediadrmserver mediametrics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 
-# Inherit hal_drm access rules until DRM HAL implementation is
-# moved out of mediadrmserver
-hal_impl_domain(mediadrmserver, hal_drm)
+### Rules needed when DRM HAL runs inside mediadrmserver process.
+### These rules should eventually be granted only when needed.
+# Required by Widevine DRM (b/22990512)
+allow mediadrmserver self:process execmem;
+
+# System file accesses.
+allow mediadrmserver system_file:dir r_dir_perms;
+allow mediadrmserver system_file:file r_file_perms;
+allow mediadrmserver system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data.
+allow mediadrmserver system_data_file:dir { search getattr };
+allow mediadrmserver system_data_file:file { getattr read };
+allow mediadrmserver system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(mediadrmserver, cgroup)
+allow mediadrmserver cgroup:dir { search write };
+allow mediadrmserver cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow mediadrmserver ion_device:chr_file rw_file_perms;
+allow mediadrmserver hal_graphics_allocator:fd use;
+
+# Allow access to app_data and media_data_files
+allow mediadrmserver media_data_file:dir create_dir_perms;
+allow mediadrmserver media_data_file:file create_file_perms;
+allow mediadrmserver media_data_file:file { getattr read };
+
+allow mediadrmserver tee_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow mediadrmserver sysfs:file r_file_perms;
+
+# Connect to tee service.
+allow mediadrmserver tee:unix_stream_socket connectto;
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+# Permit reading device's serial number from system properties
+get_prop(mediadrmserver, serialno_prop)
+###
+
+### Rules needed when DRM HAL runs outside of mediadrmserver process.
+### These rules should eventually be granted only when needed.
+hwbinder_use(mediadrmserver)
+###
+
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-- 
GitLab