sepolicy: bsp: Fix Netflix widevine L1 denies
Change-Id: I9553462fea01deb7d953d0c885218d3490dcfee7
Reviewed-on: https://review.statixos.com/c/android_device_mediatek_sepolicy_vndr/+/7763
Reviewed-by: Vaisakh Murali <mvaisakh@statixos.com>
Tested-by: Vaisakh Murali <mvaisakh@statixos.com>
diff --git a/bsp/non_plat/surfaceflinger.te b/bsp/non_plat/surfaceflinger.te
index 14cfb67..a6c2366 100644
--- a/bsp/non_plat/surfaceflinger.te
+++ b/bsp/non_plat/surfaceflinger.te
@@ -94,3 +94,6 @@
# Data: 2021/09/07
# Purpose: Call NpAgent
hal_client_domain(surfaceflinger, hal_neuralnetworks)
+
+# Purpose: Netflix Widevine
+allow surfaceflinger teei_client_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/untrusted_app.te b/bsp/non_plat/untrusted_app.te
index fcb9105..020625d 100644
--- a/bsp/non_plat/untrusted_app.te
+++ b/bsp/non_plat/untrusted_app.te
@@ -34,3 +34,18 @@
# Operation : eMBMS Migration
# Purpose :allow EXPWAY middleware to access the socket
allow untrusted_app radio:unix_stream_socket connectto;
+
+# Purpose: Allow untrusted_app to access mdlactl_device and vpu_device
+allow untrusted_app mdla_device:chr_file { rw_file_perms };
+allow untrusted_app vpu_device:chr_file { rw_file_perms };
+
+# Purpose: Allow untrusted_app to access mcdi device
+allow untrusted_app proc_mcdi:dir search;
+allow untrusted_app proc_mcdi:file rw_file_perms;
+allow untrusted_app proc_mcdi:chr_file rw_file_perms;
+
+# Purpose: Netflix Widevine
+allow untrusted_app proc_atf_log:dir search;
+allow untrusted_app proc_m4u:dir search;
+get_prop(untrusted_app, vendor_mtk_microtrust_tee_prop)
+get_prop(untrusted_app, vendor_mtk_trustonic_tee_prop)