Move persistent data to /data/vendor.
HALs are only allow to access files in /data/vendor starting
in Pi. Change SELinux policy to move data from /data/mediadrm
to /data/vendor/mediadrm.
Test: Play Movies & TV, Netflix
Ensure offline playback works after the move.
bug: 36601695
Change-Id: Ie7ed580036fe0b6113eb4c39210e90dc08478230
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 118fbd1..d954c00 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -69,6 +69,7 @@
type ese_vendor_data_file, file_type, data_file_type;
type sensors_vendor_data_file, file_type, data_file_type;
type audio_vendor_data_file, file_type, data_file_type;
+type mediadrm_vendor_data_file, file_type, data_file_type;
type vendor_firmware_file, vendor_file_type, file_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 9e384e0..62c1ea3 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -116,6 +116,9 @@
# Block device for ZRAM
/dev/block/zram0 u:object_r:swap_block_device:s0
+# file in /system
+/system/bin/move_widevine_data\.sh u:object_r:move-widevine-data-sh_exec:s0
+
# files in /vendor
/vendor/firmware(/.*)? u:object_r:vendor_firmware_file:s0
/vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service.wahoo u:object_r:hal_dumpstate_impl_exec:s0
@@ -255,6 +258,7 @@
/data/vendor/ipa(/.*)? u:object_r:ipa_vendor_data_file:s0
/data/vendor/sensors(/.*)? u:object_r:sensors_vendor_data_file:s0
/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0
+/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
# input files
/vendor/usr/idc(/.*)? u:object_r:idc_file:s0
diff --git a/sepolicy/vendor/hal_drm_default.te b/sepolicy/vendor/hal_drm_default.te
index d734614..3781f12 100644
--- a/sepolicy/vendor/hal_drm_default.te
+++ b/sepolicy/vendor/hal_drm_default.te
@@ -1,7 +1 @@
allow hal_drm_default vndbinder_device:chr_file rw_file_perms;
-
-# TODO(b/36601695): Remove data_between_core_and_vendor violators once
-# hal_drm_default no longer directly accesses media_data_file.
-typeattribute hal_drm_default data_between_core_and_vendor_violators;
-allow hal_drm_default media_data_file:dir create_dir_perms;
-allow hal_drm_default media_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te
index da90b82..a8750c6 100644
--- a/sepolicy/vendor/hal_drm_widevine.te
+++ b/sepolicy/vendor/hal_drm_widevine.te
@@ -16,10 +16,7 @@
allow hal_drm_widevine qdisplay_service:service_manager { find };
binder_call(hal_drm_widevine, hal_graphics_composer)
-# TODO(b/36601695): Remove data_between_core_and_vendor violators once
-# hal_drm_widevine no longer directly accesses media_data_file.
-typeattribute hal_drm_widevine data_between_core_and_vendor_violators;
-allow hal_drm_widevine media_data_file:dir create_dir_perms;
-allow hal_drm_widevine media_data_file:file create_file_perms;
-
allow hal_drm_widevine hal_allocator_server:fd use;
+
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/move-widevine-data-sh.te b/sepolicy/vendor/move-widevine-data-sh.te
new file mode 100644
index 0000000..e2541e5
--- /dev/null
+++ b/sepolicy/vendor/move-widevine-data-sh.te
@@ -0,0 +1,18 @@
+type move-widevine-data-sh, domain, coredomain;
+type move-widevine-data-sh_exec, exec_type, file_type;
+init_daemon_domain(move-widevine-data-sh);
+
+typeattribute move-widevine-data-sh data_between_core_and_vendor_violators;
+
+allow move-widevine-data-sh shell_exec:file rx_file_perms;
+allow move-widevine-data-sh toolbox_exec:file rx_file_perms;
+
+allow move-widevine-data-sh file_contexts_file:file { read getattr open };
+
+allow move-widevine-data-sh media_data_file:file { getattr setattr relabelfrom };
+allow move-widevine-data-sh media_data_file:dir { reparent rename rmdir setattr rw_dir_perms relabelfrom };
+
+allow move-widevine-data-sh mediadrm_vendor_data_file:dir { create_dir_perms relabelto };
+
+# for writing files_moved so we only execute the move once
+allow move-widevine-data-sh mediadrm_vendor_data_file:file { create open write getattr relabelto };
