Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 70d70e6be42d0ac5c1c4ca525121926d8f51e380 / . / public / drmserver.te
blob: d51507967148a2fcc51b171b36003634c0d5bcf2 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1# drmserver - DRM service
Jeff Vander Stoep3a0721a2016-10-01 05:26:15 -0700[diff] [blame]2type drmserver, domain;
Nick Kralevich5e372712018-09-27 10:21:37 -0700[diff] [blame]3type drmserver_exec, system_file_type, exec_type, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]4
Stephen Smalley3b268482013-10-29 14:42:35 -0400[diff] [blame]5typeattribute drmserver mlstrustedsubject;
6
Stephen Smalley16011322014-02-24 15:06:11 -0500[diff] [blame]7net_domain(drmserver)
8
Stephen Smalley3b268482013-10-29 14:42:35 -0400[diff] [blame]9# Perform Binder IPC to system server.
10binder_use(drmserver)
11binder_call(drmserver, system_server)
Nick Kralevichd5b60432017-01-19 10:56:18 -0800[diff] [blame]12binder_call(drmserver, appdomain)
Robert Shih353c4ab2019-08-22 00:16:06 -0700[diff] [blame]13binder_call(drmserver, mediametrics)
Stephen Smalley3b268482013-10-29 14:42:35 -0400[diff] [blame]14binder_service(drmserver)
Jeff Vander Stoep3a0721a2016-10-01 05:26:15 -0700[diff] [blame]15# Inherit or receive open files from system_server.
16allow drmserver system_server:fd use;
Stephen Smalley3b268482013-10-29 14:42:35 -0400[diff] [blame]17
18# Perform Binder IPC to mediaserver
19binder_call(drmserver, mediaserver)
20
ThiƩbaud Weksteen9ec53272021-06-23 10:21:49 +0200[diff] [blame]21allow drmserver { sdcard_type fuse }:dir search;
Stephen Smalley3b268482013-10-29 14:42:35 -0400[diff] [blame]22allow drmserver drm_data_file:dir create_dir_perms;
23allow drmserver drm_data_file:file create_file_perms;
Nick Kralevichbedfb222018-08-13 10:31:58 -0700[diff] [blame]24allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
ThiƩbaud Weksteen9ec53272021-06-23 10:21:49 +0200[diff] [blame]25allow drmserver { sdcard_type fuse }:file { read write getattr map };
Nick Kralevich7cbe44f2014-01-31 13:20:20 -0800[diff] [blame]26r_dir_file(drmserver, efs_file)
Stephen Smalley3b268482013-10-29 14:42:35 -0400[diff] [blame]27
Nick Kralevich1a1ad952014-02-04 21:49:01 +0000[diff] [blame]28type drmserver_socket, file_type;
29
30# /data/app/tlcd_sock socket file.
31# Clearly, /data/app is the most logical place to create a socket. Not.
32allow drmserver apk_data_file:dir rw_dir_perms;
Jeff Vander Stoep5e6d60a2020-12-09 09:16:51 +0100[diff] [blame]33auditallow drmserver apk_data_file:dir { add_name write };
Nick Kralevich1a1ad952014-02-04 21:49:01 +0000[diff] [blame]34allow drmserver drmserver_socket:sock_file create_file_perms;
Jeff Vander Stoep5e6d60a2020-12-09 09:16:51 +0100[diff] [blame]35auditallow drmserver drmserver_socket:sock_file create;
Nick Kralevich1a1ad952014-02-04 21:49:01 +0000[diff] [blame]36# Delete old socket file if present.
37allow drmserver apk_data_file:sock_file unlink;
Nick Kralevich37339c72014-01-06 12:39:19 -0800[diff] [blame]38
39# After taking a video, drmserver looks at the video file.
40r_dir_file(drmserver, media_rw_data_file)
Stephen Smalley721f1ad2014-03-13 15:35:46 -0400[diff] [blame]41
42# Read resources from open apk files passed over Binder.
Nick Kralevichbedfb222018-08-13 10:31:58 -0700[diff] [blame]43allow drmserver apk_data_file:file { read getattr map };
44allow drmserver asec_apk_file:file { read getattr map };
45allow drmserver ringtone_file:file { read getattr map };
Stephen Smalley3fbc5362014-03-27 09:45:26 -0400[diff] [blame]46
47# Read /data/data/com.android.providers.telephony files passed over Binder.
Nick Kralevichbedfb222018-08-13 10:31:58 -0700[diff] [blame]48allow drmserver radio_data_file:file { read getattr map };
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]49
Vineeta Srivastava0a20b572014-09-16 10:00:50 -0700[diff] [blame]50# /oem access
Nick Kralevichebfd9f82014-10-10 16:11:03 -0700[diff] [blame]51allow drmserver oemfs:dir search;
Vineeta Srivastava0a20b572014-09-16 10:00:50 -0700[diff] [blame]52allow drmserver oemfs:file r_file_perms;
Vineeta Srivastavae0357cf2014-09-16 13:04:06 -0700[diff] [blame]53
Jeongik Cha832a8a92020-04-23 23:38:43 +0900[diff] [blame]54# overlay package access
55allow drmserver vendor_overlay_file:file { read map };
56
William Roberts606d2fd2017-01-19 13:23:52 -0800[diff] [blame]57add_service(drmserver, drmserver_service)
dcashman03a6f642015-04-08 13:04:59 -0700[diff] [blame]58allow drmserver permission_service:service_manager find;
Robert Shih353c4ab2019-08-22 00:16:06 -0700[diff] [blame]59allow drmserver mediametrics_service:service_manager find;
dcashman23f33612015-03-03 11:20:15 -0800[diff] [blame]60
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]61selinux_check_access(drmserver)
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -0700[diff] [blame]62
63r_dir_file(drmserver, cgroup)
Marco Ballesioaa4ce952021-02-11 15:18:11 -0800[diff] [blame]64r_dir_file(drmserver, cgroup_v2)
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -0700[diff] [blame]65r_dir_file(drmserver, system_file)