From bd3767ae16a3e11166c95d9ecd3bbccc5800ba09 Mon Sep 17 00:00:00 2001
From: Snehal <snehalreddy@google.com>
Date: Tue, 3 Sep 2024 09:34:57 +0000
Subject: [PATCH] Add widevine SELinux permissions

15992 15992 I exoplayer2.demo: type=1400 audit(0.0:1934): avc:  denied  { call } for  scontext=u:r:untrusted_app_29:s0:c36,c257,c512,c768 tcontext=u:r:hal_drm_clearkey:s0 tclass=binder permissive=1 app=com.google.android.exoplayer2.demo

15992 15992 I exoplayer2.demo: type=1400 audit(0.0:1935): avc:  denied  { call } for  scontext=u:r:untrusted_app_29:s0:c36,c257,c512,c768 tcontext=u:r:hal_drm_widevine:s0 tclass=binder permissive=1 app=com.google.android.exoplayer2.demo

860   860 I android.hardwar: type=1400 audit(0.0:4302): avc:  denied  { write } for  name="mediadrm" dev="dm-57" ino=2565 scontext=u:r:hal_drm_widevine:s0 tcontext=u:object_r:mediadrm_vendor_data_file:s0 tclass=dir permissive=1

860   860 I android.hardwar: type=1400 audit(0.0:4304): avc:  denied  { create } for  name="IDM1013" scontext=u:r:hal_drm_widevine:s0 tcontext=u:object_r:mediadrm_vendor_data_file:s0 tclass=dir permissive=1

Bug: 363182767
Bug: 363181505

Flag: EXEMPT bugfix

Change-Id: Ia8c3ba3d7fe9f09ceb40fd2b6ae88bbbcf5ac6f6
---
 widevine/sepolicy/hal_drm_clearkey.te |  3 ++-
 widevine/sepolicy/hal_drm_widevine.te | 10 +++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/widevine/sepolicy/hal_drm_clearkey.te b/widevine/sepolicy/hal_drm_clearkey.te
index 81ecfb9..fff4f0d 100644
--- a/widevine/sepolicy/hal_drm_clearkey.te
+++ b/widevine/sepolicy/hal_drm_clearkey.te
@@ -1,5 +1,6 @@
+# sepolicy for DRM clearkey
 type hal_drm_clearkey, domain;
 type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_drm_clearkey)
 
-#TODO: snehalreddy@ add sepolicy
+hal_server_domain(hal_drm_clearkey, hal_drm)
diff --git a/widevine/sepolicy/hal_drm_widevine.te b/widevine/sepolicy/hal_drm_widevine.te
index 41e395a..9b4792e 100644
--- a/widevine/sepolicy/hal_drm_widevine.te
+++ b/widevine/sepolicy/hal_drm_widevine.te
@@ -1,5 +1,13 @@
+# sepolicy for DRM widevine
 type hal_drm_widevine, domain;
 type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_drm_widevine)
 
-#TODO: snehalreddy@ add sepolicy
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+# L3
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+
+#L1
+#TODO(snehalreddy@) : Add L1 permissions