public/hal_drm.te - platform/system/sepolicy - Git at Google

 # HwBinder IPC from client to server, and callbacks
 binder_use(hal_drm_server)
 binder_call(hal_drm_client, hal_drm_server)
 binder_call(hal_drm_server, hal_drm_client)

 hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
 hal_attribute_service(hal_drm, hal_drm_service)

 allow hal_drm hidl_memory_hwservice:hwservice_manager find;

 # Required by Widevine DRM (b/22990512)
 allow hal_drm self:process execmem;

 # Permit reading device's serial number from system properties
 get_prop(hal_drm, serialno_prop)

 # Read files already opened under /data
 allow hal_drm system_data_file:file { getattr read };

 # Read access to pseudo filesystems
 r_dir_file(hal_drm, cgroup)
 allow hal_drm cgroup:dir { search write };
 allow hal_drm cgroup:file w_file_perms;

 r_dir_file(hal_drm, cgroup_v2)
 allow hal_drm cgroup_v2:dir { search write };
 allow hal_drm cgroup_v2:file w_file_perms;

 # Allow access to ion memory allocation device
 allow hal_drm ion_device:chr_file rw_file_perms;
 allow hal_drm hal_graphics_allocator:fd use;

 # Allow access to hidl_memory allocation service
 allow hal_drm hal_allocator_server:fd use;

 # Allow access to fds allocated by mediaserver
 allow hal_drm mediaserver:fd use;

 allow hal_drm sysfs:file r_file_perms;

 allow hal_drm tee_device:chr_file rw_file_perms;

 allow hal_drm_server { appdomain -isolated_app }:fd use;

 # only allow unprivileged socket ioctl commands
 allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

 ###
 ### neverallow rules
 ###

 # hal_drm should never execute any executable without a
 # domain transition
 neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;

 # do not allow privileged socket ioctl commands
 neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
	# HwBinder IPC from client to server, and callbacks
	binder_use(hal_drm_server)
	binder_call(hal_drm_client, hal_drm_server)
	binder_call(hal_drm_server, hal_drm_client)

	hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
	hal_attribute_service(hal_drm, hal_drm_service)

	allow hal_drm hidl_memory_hwservice:hwservice_manager find;

	# Required by Widevine DRM (b/22990512)
	allow hal_drm self:process execmem;

	# Permit reading device's serial number from system properties
	get_prop(hal_drm, serialno_prop)

	# Read files already opened under /data
	allow hal_drm system_data_file:file { getattr read };

	# Read access to pseudo filesystems
	r_dir_file(hal_drm, cgroup)
	allow hal_drm cgroup:dir { search write };
	allow hal_drm cgroup:file w_file_perms;

	r_dir_file(hal_drm, cgroup_v2)
	allow hal_drm cgroup_v2:dir { search write };
	allow hal_drm cgroup_v2:file w_file_perms;

	# Allow access to ion memory allocation device
	allow hal_drm ion_device:chr_file rw_file_perms;
	allow hal_drm hal_graphics_allocator:fd use;

	# Allow access to hidl_memory allocation service
	allow hal_drm hal_allocator_server:fd use;

	# Allow access to fds allocated by mediaserver
	allow hal_drm mediaserver:fd use;

	allow hal_drm sysfs:file r_file_perms;

	allow hal_drm tee_device:chr_file rw_file_perms;

	allow hal_drm_server { appdomain -isolated_app }:fd use;

	# only allow unprivileged socket ioctl commands
	allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
	ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

	###
	### neverallow rules
	###

	# hal_drm should never execute any executable without a
	# domain transition
	neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;

	# do not allow privileged socket ioctl commands
	neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;