1 # drmserver - DRM service 2 type drmserver, domain; 3 type drmserver_exec, exec_type, file_type; 4 5 init_daemon_domain(drmserver) 6 typeattribute drmserver mlstrustedsubject; 7 8 net_domain(drmserver) 9 10 # Perform Binder IPC to system server. 11 binder_use(drmserver) 12 binder_call(drmserver, system_server) 13 binder_call(drmserver, appdomain) 14 binder_service(drmserver) 15 16 # Perform Binder IPC to mediaserver 17 binder_call(drmserver, mediaserver) 18 19 allow drmserver sdcard_type:dir search; 20 allow drmserver drm_data_file:dir create_dir_perms; 21 allow drmserver drm_data_file:file create_file_perms; 22 allow drmserver tee_device:chr_file rw_file_perms; 23 allow drmserver app_data_file:file { read write getattr }; 24 allow drmserver sdcard_type:file { read write getattr }; 25 r_dir_file(drmserver, efs_file) 26 27 type drmserver_socket, file_type; 28 29 # /data/app/tlcd_sock socket file. 30 # Clearly, /data/app is the most logical place to create a socket. Not. 31 allow drmserver apk_data_file:dir rw_dir_perms; 32 type_transition drmserver apk_data_file:sock_file drmserver_socket; 33 allow drmserver drmserver_socket:sock_file create_file_perms; 34 allow drmserver tee:unix_stream_socket connectto; 35 # Delete old socket file if present. 36 allow drmserver apk_data_file:sock_file unlink; 37 38 # After taking a video, drmserver looks at the video file. 39 r_dir_file(drmserver, media_rw_data_file) 40 41 # Read resources from open apk files passed over Binder. 42 allow drmserver apk_data_file:file { read getattr }; 43 allow drmserver asec_apk_file:file { read getattr }; 44 45 # Read /data/data/com.android.providers.telephony files passed over Binder. 46 allow drmserver radio_data_file:file { read getattr }; 47 48 allow drmserver drmserver_service:service_manager add; 49 50 # /oem access 51 allow drmserver oemfs:dir search; 52 allow drmserver oemfs:file r_file_perms; 53
