Merge "Move persistent data to /data/vendor."
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 4032940..cd52e7c 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -17,6 +17,7 @@
type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type mediadrm_vendor_data_file, file_type, data_file_type;
# /sys
type sysfs_camera, sysfs_type, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 60fd33b..423a0eb 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -80,6 +80,7 @@
# files in /system
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
+/system/bin/move_widevine_data\.sh u:object_r:move-widevine-data-sh_exec:s0
# files in /vendor
/vendor/bin/qsee_logger u:object_r:qsee_logger_exec:s0
@@ -187,6 +188,7 @@
/data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0
/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0
+/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
# /
diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te
index a98d0cd..e0a3914 100644
--- a/sepolicy/hal_drm_default.te
+++ b/sepolicy/hal_drm_default.te
@@ -8,9 +8,3 @@
allow hal_drm_default perfd_data_file:dir search;
allow hal_drm_default perfd:unix_stream_socket connectto;
allow hal_drm_default perfd_data_file:sock_file write;
-
-# TODO(b/36601695): Remove data_between_core_and_vendor violators once
-# hal_drm no longer directly accesses media_data_file.
-typeattribute hal_drm_default data_between_core_and_vendor_violators;
-allow hal_drm_default media_data_file:dir create_dir_perms;
-allow hal_drm_default media_data_file:file create_file_perms;
diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te
index 1ba3cb1..ff93ec5 100644
--- a/sepolicy/hal_drm_widevine.te
+++ b/sepolicy/hal_drm_widevine.te
@@ -14,12 +14,6 @@
allow hal_drm_widevine qdisplay_service:service_manager { find };
binder_call(hal_drm_widevine, hal_graphics_composer)
-# TODO(b/36601695): Remove data_between_core_and_vendor violators once
-# hal_drm no longer directly accesses media_data_file.
-typeattribute hal_drm_widevine data_between_core_and_vendor_violators;
-allow hal_drm_widevine media_data_file:dir create_dir_perms;
-allow hal_drm_widevine media_data_file:file create_file_perms;
-
allow hal_drm_widevine hal_allocator_server:fd use;
# TODO(b/71584763): Remove perfd use once QC implements a better method
@@ -27,3 +21,5 @@
allow hal_drm_widevine perfd_data_file:dir search;
allow hal_drm_widevine perfd_data_file:sock_file write;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/move-widevine-data-sh.te b/sepolicy/move-widevine-data-sh.te
new file mode 100644
index 0000000..e2541e5
--- /dev/null
+++ b/sepolicy/move-widevine-data-sh.te
@@ -0,0 +1,18 @@
+type move-widevine-data-sh, domain, coredomain;
+type move-widevine-data-sh_exec, exec_type, file_type;
+init_daemon_domain(move-widevine-data-sh);
+
+typeattribute move-widevine-data-sh data_between_core_and_vendor_violators;
+
+allow move-widevine-data-sh shell_exec:file rx_file_perms;
+allow move-widevine-data-sh toolbox_exec:file rx_file_perms;
+
+allow move-widevine-data-sh file_contexts_file:file { read getattr open };
+
+allow move-widevine-data-sh media_data_file:file { getattr setattr relabelfrom };
+allow move-widevine-data-sh media_data_file:dir { reparent rename rmdir setattr rw_dir_perms relabelfrom };
+
+allow move-widevine-data-sh mediadrm_vendor_data_file:dir { create_dir_perms relabelto };
+
+# for writing files_moved so we only execute the move once
+allow move-widevine-data-sh mediadrm_vendor_data_file:file { create open write getattr relabelto };
