Google Git
Sign in
android / device / samsung / manta / 71ae775^! / .
commit71ae7752cb5a4f2ce493f7711feb2341fad3e68d[log] [tgz]
authorNick Kralevich <nnk@google.com>Tue Jan 07 16:31:34 2014 -0800
committerNick Kralevich <nnk@google.com>Wed Jan 08 11:26:37 2014 -0800
treec46a02840532f9fd199834e2450e194e1a3a870b
parent6c7738ff492d93749c5bd60b96512a6b5f71fe61 [diff]
address denials when playing protected content.

When playing protected content, surfaceflinger would crash.

  STEPS TO REPRODUCE:
  1. Launch Play Movies & TV
  2. Play any movie and observe

  OBSERVED RESULTS:
  Device reboot while playing movies

  EXPECTED RESULTS:
  No device reboot

Addresses the following denials:

<5>[   36.056983] type=1400 audit(1389141624.461:6): avc:  denied  { read write } for  pid=1855 comm="TimedEventQueue" name="s5p-smem" dev="tmpfs" ino=4271 scontext=u:r:mediaserver:s0 tcontext=u:object_r:secmem_device:s0 tclass=chr_file
<5>[   36.057169] type=1400 audit(1389141624.461:7): avc:  denied  { open } for  pid=1855 comm="TimedEventQueue" name="s5p-smem" dev="tmpfs" ino=4271 scontext=u:r:mediaserver:s0 tcontext=u:object_r:secmem_device:s0 tclass=chr_file
<5>[   36.057468] type=1400 audit(1389141624.461:8): avc:  denied  { ioctl } for  pid=1855 comm="TimedEventQueue" path="/dev/s5p-smem" dev="tmpfs" ino=4271 scontext=u:r:mediaserver:s0 tcontext=u:object_r:secmem_device:s0 tclass=chr_file
<5>[   36.067371] type=1400 audit(1389141624.471:11): avc:  denied  { read write } for  pid=1607 comm="drmserver" name="s5p-smem" dev="tmpfs" ino=4271 scontext=u:r:drmserver:s0 tcontext=u:object_r:secmem_device:s0 tclass=chr_file
<5>[   36.067526] type=1400 audit(1389141624.471:12): avc:  denied  { open } for  pid=1607 comm="drmserver" name="s5p-smem" dev="tmpfs" ino=4271 scontext=u:r:drmserver:s0 tcontext=u:object_r:secmem_device:s0 tclass=chr_file
<5>[   36.067709] type=1400 audit(1389141624.471:13): avc:  denied  { ioctl } for  pid=1607 comm="drmserver" path="/dev/s5p-smem" dev="tmpfs" ino=4271 scontext=u:r:drmserver:s0 tcontext=u:object_r:secmem_device:s0 tclass=chr_file

Change-Id: I20286ec2a6cf0d190a84ad74e88e94468bab9fdb
Bug: 12434847

diff --git a/BoardConfig.mk b/BoardConfig.mk
index 065f7d2..b2a2e67 100755
--- a/BoardConfig.mk
+++ b/BoardConfig.mk

@@ -91,6 +91,7 @@
 	adbd.te \
 	device.te \
 	domain.te \
+	drmserver.te \
 	healthd.te \
 	gpsd.te \
 	file.te \

diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te
new file mode 100644
index 0000000..eba2500
--- /dev/null
+++ b/sepolicy/drmserver.te

@@ -0,0 +1 @@
+allow drmserver secmem_device:chr_file rw_file_perms;

diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index b448c4f..4770451 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te

@@ -1 +1,4 @@
 allow mediaserver system_server:unix_stream_socket { read write setopt };
+
+# Playback DRM protected content
+allow mediaserver secmem_device:chr_file rw_file_perms;