From c86f42b9a75a65e7b4651dd68d919a35dc30cf79 Mon Sep 17 00:00:00 2001
From: Jeff Tinker <jtinker@google.com>
Date: Sun, 1 Jan 2017 12:01:18 -0800
Subject: [PATCH] Add sepolicy for drm HALs

bug:32815560
Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f
---
 private/file_contexts      |  1 +
 private/hal_drm_default.te |  5 ++++
 public/attributes          |  1 +
 public/domain.te           |  1 +
 public/hal_drm.te          | 53 ++++++++++++++++++++++++++++++++++++
 public/mediadrmserver.te   | 55 +++-----------------------------------
 public/system_server.te    |  1 +
 7 files changed, 65 insertions(+), 52 deletions(-)
 create mode 100644 private/hal_drm_default.te
 create mode 100644 public/hal_drm.te

diff --git a/private/file_contexts b/private/file_contexts
index 05b67311e..95b27820b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -245,6 +245,7 @@
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
+/system/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
 /system/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
 /system/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /system/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0
diff --git a/private/hal_drm_default.te b/private/hal_drm_default.te
new file mode 100644
index 000000000..6e4df5b8b
--- /dev/null
+++ b/private/hal_drm_default.te
@@ -0,0 +1,5 @@
+type hal_drm_default, domain;
+hal_impl_domain(hal_drm_default, hal_drm)
+
+type hal_drm_default_exec, exec_type, file_type;
+init_daemon_domain(hal_drm_default)
diff --git a/public/attributes b/public/attributes
index 299532b36..1aacd9e33 100644
--- a/public/attributes
+++ b/public/attributes
@@ -122,6 +122,7 @@ attribute hal_audio;
 attribute hal_bluetooth;
 attribute hal_camera;
 attribute hal_contexthub;
+attribute hal_drm;
 attribute hal_dumpstate;
 attribute hal_fingerprint;
 attribute hal_gatekeeper;
diff --git a/public/domain.te b/public/domain.te
index 09958f0a5..ca8683660 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -378,6 +378,7 @@ neverallow {
   domain
   -adbd
   -dumpstate
+  -hal_drm
   -init
   -mediadrmserver
   -recovery
diff --git a/public/hal_drm.te b/public/hal_drm.te
new file mode 100644
index 000000000..79b385f7a
--- /dev/null
+++ b/public/hal_drm.te
@@ -0,0 +1,53 @@
+## call into system_server process (for invoking callbacks)
+binder_call(hal_drm, mediadrmserver)
+
+# Required by Widevine DRM (b/22990512)
+allow hal_drm self:process execmem;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_drm, serialno_prop)
+
+# System file accesses
+allow hal_drm system_file:dir r_dir_perms;
+allow hal_drm system_file:file r_file_perms;
+allow hal_drm system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data
+allow hal_drm system_data_file:dir { search getattr };
+allow hal_drm system_data_file:file { getattr read };
+allow hal_drm system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems
+r_dir_file(hal_drm, cgroup)
+allow hal_drm cgroup:dir { search write };
+allow hal_drm cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_drm ion_device:chr_file rw_file_perms;
+allow hal_drm hal_graphics_allocator:fd use;
+
+# Allow access to app_data and media_data_files
+allow hal_drm media_data_file:dir create_dir_perms;
+allow hal_drm media_data_file:file create_file_perms;
+allow hal_drm media_data_file:file { getattr read };
+
+allow hal_drm sysfs:file r_file_perms;
+
+# Connect to tee service.
+allow hal_drm tee:unix_stream_socket connectto;
+allow hal_drm tee_device:chr_file rw_file_perms;
+
+# only allow unprivileged socket ioctl commands
+allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# hal_drm should never execute any executable without a
+# domain transition
+neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
\ No newline at end of file
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 817365749..c695432b1 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -10,61 +10,12 @@ binder_call(mediadrmserver, binderservicedomain)
 binder_call(mediadrmserver, appdomain)
 binder_service(mediadrmserver)
 
-# Required by Widevine DRM (b/22990512)
-allow mediadrmserver self:process execmem;
-
-# System file accesses.
-allow mediadrmserver system_file:dir r_dir_perms;
-allow mediadrmserver system_file:file r_file_perms;
-allow mediadrmserver system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data.
-allow mediadrmserver system_data_file:dir { search getattr };
-allow mediadrmserver system_data_file:file { getattr read };
-allow mediadrmserver system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(mediadrmserver, cgroup)
-allow mediadrmserver cgroup:dir { search write };
-allow mediadrmserver cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow mediadrmserver ion_device:chr_file rw_file_perms;
-allow mediadrmserver hal_graphics_allocator:fd use;
-
-# Allow access to app_data and media_data_files
-allow mediadrmserver media_data_file:dir create_dir_perms;
-allow mediadrmserver media_data_file:file create_file_perms;
-allow mediadrmserver media_data_file:file { getattr read };
-
-allow mediadrmserver tee_device:chr_file rw_file_perms;
-
-# XXX Label with a specific type?
-allow mediadrmserver sysfs:file r_file_perms;
-
-# Connect to tee service.
-allow mediadrmserver tee:unix_stream_socket connectto;
-
 allow mediadrmserver mediadrmserver_service:service_manager { add find };
 allow mediadrmserver mediaserver_service:service_manager { add find };
 allow mediadrmserver mediametrics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
-  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Permit reading device's serial number from system properties
-get_prop(mediadrmserver, serialno_prop)
-
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+# Inherit hal_drm access rules until DRM HAL implementation is
+# moved out of mediadrmserver
+hal_impl_domain(mediadrmserver, hal_drm)
diff --git a/public/system_server.te b/public/system_server.te
index 5dc99ab07..84854807e 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -181,6 +181,7 @@ binder_call(system_server, hal_thermal)
 binder_call(system_server, hal_vibrator)
 binder_call(system_server, hal_vr)
 binder_call(system_server, hal_wifi)
+binder_call(system_server, hal_drm)
 binder_call(system_server, wpa)
 
 # Talk to tombstoned to get ANR traces.
-- 
GitLab