Add hal_drm_widevine for Widevine exec sepolicy

Bug: 243699259 Test: atp v2/widevine-eng/drm_compliance Change-Id: Ifede19e690cb7b7333016df08fb146a0ec8f7409
2022-12-30 01:03:59 +00:00 · 2022-12-30 01:03:59 +00:00 · 902db3961f
commit 902db3961f
parent 8c2188f24e
4 changed files with 17 additions and 5 deletions
--- a/tracking_denials/hal_drm_default.te
+++ b/tracking_denials/hal_drm_default.te
@ -1,4 +0,0 @@
-# b/223502652
-dontaudit hal_drm_default vndbinder_device:chr_file { read };
-# b/232714489
-dontaudit hal_drm_default default_prop:file { read };
--- a/tracking_denials/hal_drm_widevine.te
+++ b/tracking_denials/hal_drm_widevine.te
@ -0,0 +1,4 @@
+# b/223502652
+dontaudit hal_drm_widevine vndbinder_device:chr_file { read };
+# b/232714489
+dontaudit hal_drm_widevine default_prop:file { read };
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@ -1,7 +1,7 @@
 #
 # Exynos HAL
 #
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine       u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine       u:object_r:hal_drm_widevine_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey          u:object_r:hal_drm_clearkey_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32                            u:object_r:hal_usb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
--- a/whitechapel/vendor/google/hal_drm_widevine.te
+++ b/whitechapel/vendor/google/hal_drm_widevine.te
@ -0,0 +1,12 @@
+type hal_drm_widevine, domain;
+type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+# L3
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+
+# L1
+allow hal_drm_widevine dmabuf_system_heap_device:chr_file r_file_perms;