sepolicy: address drm (widevine) denials
* also address some kernel denials
Change-Id: If354f0ee4a1008a54fa4ba3de9468c1056a63d0c
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 6e49ab3..c2423b2 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -73,3 +73,6 @@
/(vendor|system/vendor)/lib(64)?/libsensorlistener\.so u:object_r:vendor_shimmed_lib:s0
/(vendor|system/vendor)/lib/vndk/libstagefright_omx_utils\.so u:object_r:vendor_shimmed_lib:s0
+
+/(vendor|system/vendor)/usr/idc(/.*) u:object_r:vendor_idc_file:s0
+/(vendor|system/vendor)/usr/keylayout(/.*) u:object_r:vendor_keylayout_file:s0
diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te
index 7cbd363..c7aaf07 100644
--- a/sepolicy/vendor/hal_drm_widevine.te
+++ b/sepolicy/vendor/hal_drm_widevine.te
@@ -8,8 +8,8 @@
allow hal_drm_widevine hal_vendor_wvkprov_hwservice:hwservice_manager { add find };
-allow hal_drm_widevine mediadrm_vendor_data_file:dir { r_file_perms search };
-allow hal_drm_widevine mediadrm_vendor_data_file:file rw_file_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
allow hal_drm_widevine secmem_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
index 0ba2950..f53d591 100644
--- a/sepolicy/vendor/kernel.te
+++ b/sepolicy/vendor/kernel.te
@@ -4,8 +4,10 @@
r_dir_file(kernel, sysfs_sec_key);
-allow kernel device:dir { add_name write remove_name };
-allow kernel device:chr_file { create setattr getattr };
+allow kernel device:dir { add_name write remove_name rmdir };
+allow kernel device:chr_file { create setattr getattr unlink };
r_dir_file(kernel, efs_file);
r_dir_file(kernel, app_efs_file);
+
+allow kernel app_efs_file:file write;