atv: Label and allow mediashell_app what it needs * ATV GMS does this, so we're gonna have to as well. Change-Id: I0d4fecfad032b0a14a215fa4ddf2e994a9df0c70

commit: 6f089c254845094a1fa09a0ba522f38bdfb6d0e5 [log] [tgz]
author: Nolen Johnson <johnsonnolen@gmail.com> Thu Nov 04 12:17:26 2021 -0400
committer: Nolen Johnson <johnsonnolen@gmail.com> Mon Nov 08 15:11:27 2021 -0500
tree: 99ef81935b5b6c3a123644ecc4822ba7f4c921ae
parent: 1f0b09998d3578e2a5c8df4ecb5af340f5937ba6 [diff]
diff --git a/atv/private/certs/mediashell/mediashell-release.x509.pem b/atv/private/certs/mediashell/mediashell-release.x509.pem
new file mode 100644
index 0000000..1c4dc5a
--- /dev/null
+++ b/atv/private/certs/mediashell/mediashell-release.x509.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIJAOkFRFkrhFCCMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
+aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDETMBEG
+A1UEAwwKbWVkaWFzaGVsbDAeFw0xNDA1MjcwNDM0MDBaFw00MTEwMTIwNDM0MDBa
+MHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1N
+b3VudGFpbiBWaWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5k
+cm9pZDETMBEGA1UEAwwKbWVkaWFzaGVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB1m2sXKkhJKtXukj5yfutgIqzYCLtXDEWXQ9qbQ8Rh5ediHJ0F
+Cl3nopi9DwwCYP+Ok+Jygl3YSEiBJBoG7pJmrCv94Z/eDYoJRZ1Xy8cibmWNlL8p
+HQ/lLajRUpJnkzfsag4uN/mzztOc09nlsAmqWYjbIVbIyiN1tBxm9jkKLQ4OmEnB
+eHQJn8DZJV+YmMvFWRIbhk+V8p6L4i2x4nQaAJjaSVn0YZdurQ4SbZOXwEtl8Jjv
+D7xCetSdMs9P7006ZGDKxJX3cljqLei9ikC/B/M/YF19V2a+eiHynkonLKpYpTlc
+zf8mfQvU8n5Efy3JvMRKFGRXp4o6Sr0hX3cCAwEAAaNQME4wHQYDVR0OBBYEFLPM
+RCrb6DZ48IJbNHE0rGMeYCCTMB8GA1UdIwQYMBaAFLPMRCrb6DZ48IJbNHE0rGMe
+YCCTMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJaHK/mYG3Hp6O4C
+W1XpPOKoUhcloaoZEELvrTa4KaDJGycf4/tpmUQzE2f6piaBpJLiKB3spd/M3QPG
+Qqrxe3Tcfyb8hV5QvU9M4uKLG2v77Osb3ZiYcOX/yFv+f7JBGUQnM/TQ2k1jPF6+
+5YWDCh+GFD9Fo8/OQK7QYX/VKwe5Yrxm0ZhfPtT51sZIshE4yp6B+pn+kXb03Lvl
+IqJsLtUIprcJ4Vd/KlCvU9EGgToXMb0XhoZpW0fZh6E0IWeBLgxwHMrOthZnNS5J
+YcEM10pENnkrkjZONbMQoF8rFLJoc2JLN+hpOhy07TNvVuHYIHrpArM+OQ5RspfK
+NEAinIU=
+-----END CERTIFICATE-----

diff --git a/atv/private/keys.conf b/atv/private/keys.conf
new file mode 100644
index 0000000..1fa8af5
--- /dev/null
+++ b/atv/private/keys.conf

@@ -0,0 +1,2 @@
+[@MEDIASHELL]
+ALL : device/lineage/sepolicy/atv/private/certs/mediashell/mediashell-release.x509.pem

diff --git a/atv/private/mac_permissions.xml b/atv/private/mac_permissions.xml
new file mode 100644
index 0000000..68e39ed
--- /dev/null
+++ b/atv/private/mac_permissions.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+    <signer signature="@MEDIASHELL" >
+      <seinfo value="mediashell" />
+    </signer>
+</policy>
+

diff --git a/atv/private/mediashell_app.te b/atv/private/mediashell_app.te
new file mode 100644
index 0000000..72d7063
--- /dev/null
+++ b/atv/private/mediashell_app.te

@@ -0,0 +1,28 @@
+type mediashell_app, domain, coredomain;
+
+app_domain(mediashell_app);
+bluetooth_domain(mediashell_app);
+net_domain(mediashell_app);
+
+userdebug_or_eng(`
+   allow mediashell_app shell_data_file:file r_file_perms;
+   allow mediashell_app shell_data_file:dir r_dir_perms;
+')
+
+allow mediashell_app audioserver:fifo_file { write };
+
+allow mediashell_app app_api_service:service_manager find;
+allow mediashell_app audioserver_service:service_manager find;
+allow mediashell_app cameraserver_service:service_manager find;
+allow mediashell_app drmserver_service:service_manager find;
+allow mediashell_app mediadrmserver_service:service_manager find;
+allow mediashell_app mediaextractor_service:service_manager find;
+allow mediashell_app mediametrics_service:service_manager find;
+allow mediashell_app mediaserver_service:service_manager find;
+allow mediashell_app network_watchlist_service:service_manager find;
+allow mediashell_app nfc_service:service_manager find;
+allow mediashell_app radio_service:service_manager find;
+allow mediashell_app system_api_service:service_manager find;
+
+allow mediashell_app self:process ptrace;
+allow mediashell_app self:process ptrace;

diff --git a/atv/private/seapp_contexts b/atv/private/seapp_contexts
new file mode 100644
index 0000000..b32c255
--- /dev/null
+++ b/atv/private/seapp_contexts

@@ -0,0 +1 @@
+user=_app isPrivApp=true seinfo=mediashell domain=mediashell_app name=com.google.android.apps.mediashell type=app_data_file levelFrom=all

diff --git a/atv/sepolicy.mk b/atv/sepolicy.mk
index 43af961..b0df2cb 100644
--- a/atv/sepolicy.mk
+++ b/atv/sepolicy.mk

@@ -7,3 +7,6 @@
 BOARD_SEPOLICY_DIRS += \
     device/lineage/sepolicy/atv/vendor
 endif
+
+PRODUCT_PRIVATE_SEPOLICY_DIRS += \
+   device/lineage/sepolicy/atv/private
commit	6f089c254845094a1fa09a0ba522f38bdfb6d0e5	[log] [tgz]
author	Nolen Johnson <johnsonnolen@gmail.com>	Thu Nov 04 12:17:26 2021 -0400
committer	Nolen Johnson <johnsonnolen@gmail.com>	Mon Nov 08 15:11:27 2021 -0500
tree	99ef81935b5b6c3a123644ecc4822ba7f4c921ae
parent	1f0b09998d3578e2a5c8df4ecb5af340f5937ba6 [diff]