From 70f75ce9e5975df47d0ccb32660bb618c22ef181 Mon Sep 17 00:00:00 2001
From: Riley Spahn <rileyspahn@google.com>
Date: Wed, 2 Jul 2014 12:42:59 -0700
Subject: [PATCH] Add fine grained access control to DrmManagerService.

Add policies supporting SELinux MAC in DrmManagerservice.
Add drmservice class with verbs for each of the
functions exposed by drmservice.

Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
---
 access_vectors   | 11 +++++++++++
 drmserver.te     |  2 ++
 mediaserver.te   | 12 ++++++++++++
 security_classes |  1 +
 te_macros        | 10 ++++++++++
 5 files changed, 36 insertions(+)

diff --git a/access_vectors b/access_vectors
index 1b26bce96..659fb3632 100644
--- a/access_vectors
+++ b/access_vectors
@@ -921,3 +921,14 @@ class debuggerd
 	dump_tombstone
 	dump_backtrace
 }
+
+class drmservice {
+	consumeRights
+	setPlaybackStatus
+	openDecryptSession
+	closeDecryptSession
+	initializeDecryptUnit
+	decrypt
+	finalizeDecryptUnit
+	pread
+}
diff --git a/drmserver.te b/drmserver.te
index 14b2f4936..2a146b6bb 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -54,3 +54,5 @@ auditallow drmserver {
     -drmserver_service
     -system_server_service
 }:service_manager find;
+
+selinux_check_access(drmserver)
diff --git a/mediaserver.te b/mediaserver.te
index 52c593e6e..3eb078d4b 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -89,3 +89,15 @@ auditallow mediaserver {
     -system_server_service
     -surfaceflinger_service
 }:service_manager find;
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+    consumeRights
+    setPlaybackStatus
+    openDecryptSession
+    closeDecryptSession
+    initializeDecryptUnit
+    decrypt
+    finalizeDecryptUnit
+    pread
+};
diff --git a/security_classes b/security_classes
index ca8f4689b..9cd3f1c39 100644
--- a/security_classes
+++ b/security_classes
@@ -146,4 +146,5 @@ class keystore_key              # userspace
 # debuggerd service
 class debuggerd                 # userspace
 
+class drmservice                # userspace
 # FLASK
diff --git a/te_macros b/te_macros
index b2913f3cd..e211a1794 100644
--- a/te_macros
+++ b/te_macros
@@ -367,3 +367,13 @@ define(`use_keystore', `
 define(`service_manager_local_audit_domain', `
   typeattribute $1 service_manager_local_audit;
 ')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+  allow drmserver $1:dir search;
+  allow drmserver $1:file { read open };
+  allow drmserver $1:process getattr;
+')
-- 
GitLab