Skip to content
Snippets Groups Projects
Commit 70f75ce9 authored by Riley Spahn's avatar Riley Spahn
Browse files

Add fine grained access control to DrmManagerService.

Add policies supporting SELinux MAC in DrmManagerservice.
Add drmservice class with verbs for each of the
functions exposed by drmservice.

Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
parent ba992496
Branches
Tags
No related merge requests found
......@@ -921,3 +921,14 @@ class debuggerd
dump_tombstone
dump_backtrace
}
class drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
}
......@@ -54,3 +54,5 @@ auditallow drmserver {
-drmserver_service
-system_server_service
}:service_manager find;
selinux_check_access(drmserver)
......@@ -89,3 +89,15 @@ auditallow mediaserver {
-system_server_service
-surfaceflinger_service
}:service_manager find;
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
};
......@@ -146,4 +146,5 @@ class keystore_key # userspace
# debuggerd service
class debuggerd # userspace
class drmservice # userspace
# FLASK
......@@ -367,3 +367,13 @@ define(`use_keystore', `
define(`service_manager_local_audit_domain', `
typeattribute $1 service_manager_local_audit;
')
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
# DrmService to call getpidcon.
define(`use_drmservice', `
allow drmserver $1:dir search;
allow drmserver $1:file { read open };
allow drmserver $1:process getattr;
')
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment