Home | History | Annotate | Download | only in public 
      1 # drmserver - DRM service
      2 type drmserver, domain;
      3 type drmserver_exec, exec_type, file_type;
      4 
      5 typeattribute drmserver mlstrustedsubject;
      6 
      7 net_domain(drmserver)
      8 
      9 # Perform Binder IPC to system server.
     10 binder_use(drmserver)
     11 binder_call(drmserver, system_server)
     12 binder_call(drmserver, appdomain)
     13 binder_service(drmserver)
     14 # Inherit or receive open files from system_server.
     15 allow drmserver system_server:fd use;
     16 
     17 # Perform Binder IPC to mediaserver
     18 binder_call(drmserver, mediaserver)
     19 
     20 allow drmserver sdcard_type:dir search;
     21 allow drmserver drm_data_file:dir create_dir_perms;
     22 allow drmserver drm_data_file:file create_file_perms;
     23 allow drmserver tee_device:chr_file rw_file_perms;
     24 allow drmserver app_data_file:file { read write getattr };
     25 allow drmserver sdcard_type:file { read write getattr };
     26 r_dir_file(drmserver, efs_file)
     27 
     28 type drmserver_socket, file_type;
     29 
     30 # /data/app/tlcd_sock socket file.
     31 # Clearly, /data/app is the most logical place to create a socket.  Not.
     32 allow drmserver apk_data_file:dir rw_dir_perms;
     33 allow drmserver drmserver_socket:sock_file create_file_perms;
     34 # Delete old socket file if present.
     35 allow drmserver apk_data_file:sock_file unlink;
     36 
     37 # After taking a video, drmserver looks at the video file.
     38 r_dir_file(drmserver, media_rw_data_file)
     39 
     40 # Read resources from open apk files passed over Binder.
     41 allow drmserver apk_data_file:file { read getattr };
     42 allow drmserver asec_apk_file:file { read getattr };
     43 allow drmserver ringtone_file:file { read getattr };
     44 
     45 # Read /data/data/com.android.providers.telephony files passed over Binder.
     46 allow drmserver radio_data_file:file { read getattr };
     47 
     48 # /oem access
     49 allow drmserver oemfs:dir search;
     50 allow drmserver oemfs:file r_file_perms;
     51 
     52 add_service(drmserver, drmserver_service)
     53 allow drmserver permission_service:service_manager find;
     54 
     55 selinux_check_access(drmserver)
     56 
     57 r_dir_file(drmserver, cgroup)
     58 r_dir_file(drmserver, system_file)
     59