From c3ea668daa0e2f44abe26440def84d01cb7364ea Mon Sep 17 00:00:00 2001
From: Ryan Ki Sing Chung <ryanchung@google.com>
Date: Wed, 5 Oct 2022 01:06:19 +0000
Subject: [PATCH] Revert "Revert "CastAuth: SELinux rules for the MediaDrm
 plugin""

This reverts commit fae580c5ce2762b5ecae4183aefe7a31e78070c8.

Reason for revert: Relanding with fix

Bug: 250900568
Change-Id: I242a8b710d7d44e7390a1d63e39f7ebd7d406a4c
---
 vendor/file.te          | 3 +++
 vendor/file_contexts    | 4 ++++
 vendor/hal_drm_cast.te  | 9 +++++++++
 vendor/service_contexts | 2 ++
 4 files changed, 18 insertions(+)
 create mode 100644 vendor/hal_drm_cast.te
 create mode 100644 vendor/service_contexts

diff --git a/vendor/file.te b/vendor/file.te
index 0b57fda..32ab75b 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,5 @@
 #Pogo USB control & status
 type sysfs_pogo_usb, sysfs_type, fs_type;
+
+# Cast device certificate
+type device_cert_file, file_type, vendor_persist_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index cd84223..792f30a 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,3 +9,7 @@
 
 # Privacy LED
 /vendor/bin/hw/android\.hardware\.lights-service\.tangorpro          u:object_r:hal_light_default_exec:s0
+
+# Cast Factory Credentials
+/vendor/bin/hw/android\.hardware\.drm-service\.castkey u:object_r:hal_drm_cast_exec:s0
+/mnt/vendor/persist/nest/cast_auth\.crt                u:object_r:device_cert_file:s0
diff --git a/vendor/hal_drm_cast.te b/vendor/hal_drm_cast.te
new file mode 100644
index 0000000..800a231
--- /dev/null
+++ b/vendor/hal_drm_cast.te
@@ -0,0 +1,9 @@
+type hal_drm_cast, domain;
+type hal_drm_cast_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_cast)
+hal_server_domain(hal_drm_cast, hal_drm)
+
+allow hal_drm_cast mnt_vendor_file:dir search;
+allow hal_drm_cast persist_file:dir search;
+allow hal_drm_cast device_cert_file:file r_file_perms;
diff --git a/vendor/service_contexts b/vendor/service_contexts
new file mode 100644
index 0000000..f93a0e0
--- /dev/null
+++ b/vendor/service_contexts
@@ -0,0 +1,2 @@
+# Cast Factory Credentials
+android.hardware.drm.IDrmFactory/castkey                         u:object_r:hal_drm_service:s0