Add fine grained access control to DrmManagerService.

Add policies supporting SELinux MAC in DrmManagerservice.
Add drmservice class with verbs for each of the
functions exposed by drmservice.

Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e

access_vectors

@@ -921,3 +921,14 @@ class debuggerd
 	dump_tombstone
 	dump_backtrace
 }
+
+class drmservice {
+	consumeRights
+	setPlaybackStatus
+	openDecryptSession
+	closeDecryptSession
+	initializeDecryptUnit
+	decrypt
+	finalizeDecryptUnit
+	pread
+}

drmserver.te

@@ -54,3 +54,5 @@ auditallow drmserver {
     -drmserver_service
     -system_server_service
 }:service_manager find;
+
+selinux_check_access(drmserver)

mediaserver.te

@@ -89,3 +89,15 @@ auditallow mediaserver {
     -system_server_service
     -surfaceflinger_service
 }:service_manager find;
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+    consumeRights
+    setPlaybackStatus
+    openDecryptSession
+    closeDecryptSession
+    initializeDecryptUnit
+    decrypt
+    finalizeDecryptUnit
+    pread
+};

security_classes

@@ -146,4 +146,5 @@ class keystore_key              # userspace
 # debuggerd service
 class debuggerd                 # userspace
 
+class drmservice                # userspace
 # FLASK

te_macros

@@ -367,3 +367,13 @@ define(`use_keystore', `
 define(`service_manager_local_audit_domain', `
   typeattribute $1 service_manager_local_audit;
 ')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+  allow drmserver $1:dir search;
+  allow drmserver $1:file { read open };
+  allow drmserver $1:process getattr;
+')