1# drmserver - DRM service 2type drmserver, domain; 3type drmserver_exec, system_file_type, exec_type, file_type; 4 5typeattribute drmserver mlstrustedsubject; 6 7net_domain(drmserver) 8 9# Perform Binder IPC to system server. 10binder_use(drmserver) 11binder_call(drmserver, system_server) 12binder_call(drmserver, appdomain) 13binder_service(drmserver) 14# Inherit or receive open files from system_server. 15allow drmserver system_server:fd use; 16 17# Perform Binder IPC to mediaserver 18binder_call(drmserver, mediaserver) 19 20allow drmserver sdcard_type:dir search; 21allow drmserver drm_data_file:dir create_dir_perms; 22allow drmserver drm_data_file:file create_file_perms; 23allow drmserver { app_data_file privapp_data_file }:file { read write getattr map }; 24allow drmserver sdcard_type:file { read write getattr map }; 25r_dir_file(drmserver, efs_file) 26 27type drmserver_socket, file_type; 28 29# /data/app/tlcd_sock socket file. 30# Clearly, /data/app is the most logical place to create a socket. Not. 31allow drmserver apk_data_file:dir rw_dir_perms; 32allow drmserver drmserver_socket:sock_file create_file_perms; 33# Delete old socket file if present. 34allow drmserver apk_data_file:sock_file unlink; 35 36# After taking a video, drmserver looks at the video file. 37r_dir_file(drmserver, media_rw_data_file) 38 39# Read resources from open apk files passed over Binder. 40allow drmserver apk_data_file:file { read getattr map }; 41allow drmserver asec_apk_file:file { read getattr map }; 42allow drmserver ringtone_file:file { read getattr map }; 43 44# Read /data/data/com.android.providers.telephony files passed over Binder. 45allow drmserver radio_data_file:file { read getattr map }; 46 47# /oem access 48allow drmserver oemfs:dir search; 49allow drmserver oemfs:file r_file_perms; 50 51add_service(drmserver, drmserver_service) 52allow drmserver permission_service:service_manager find; 53 54selinux_check_access(drmserver) 55 56r_dir_file(drmserver, cgroup) 57r_dir_file(drmserver, system_file) 58