Merge "CastAuth: SELinux rules for the MediaDrm plugin" into tm-qpr-dev am: bf74335744

Original change: https://googleplex-android-review.googlesource.com/c/device/google/tangorpro-sepolicy/+/20068298

Change-Id: I4134f4c6034bbeb5c18c929bf7a2d475691457e8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

vendor/file.te

@@ -1,2 +1,5 @@
 #Pogo USB control & status
 type sysfs_pogo_usb, sysfs_type, fs_type;
+
+# Cast device certificate
+type device_cert_file, file_type, vendor_persist_type;

vendor/file_contexts

@@ -9,3 +9,7 @@
 
 # Privacy LED
 /vendor/bin/hw/android\.hardware\.lights-service\.tangorpro          u:object_r:hal_light_default_exec:s0
+
+# Cast Factory Credentials
+/vendor/bin/hw/android\.hardware\.drm-service\.castkey u:object_r:hal_drm_cast_exec:s0
+/mnt/vendor/persist/nest/cast_auth\.crt                u:object_r:device_cert_file:s0

vendor/hal_drm_cast.te

@@ -0,0 +1,10 @@
+type hal_drm_cast, domain;
+type hal_drm_cast_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_cast)
+hal_server_domain(hal_drm_cast, hal_drm)
+
+allow hal_drm_cast mnt_vendor_file:dir search;
+allow hal_drm_cast persist_file:dir search;
+allow hal_drm_cast device_cert_file:file r_file_perms;
+neverallow { domain -init -vendor_init -hal_drm_cast } device_cert_file:file no_rw_file_perms;

vendor/service_contexts

@@ -0,0 +1,2 @@
+# Cast Factory Credentials
+android.hardware.drm.IDrmFactory/castkey                         u:object_r:hal_drm_service:s0