• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# drmserver - DRM service
2type drmserver, domain;
3type drmserver_exec, system_file_type, exec_type, file_type;
4
5typeattribute drmserver mlstrustedsubject;
6
7net_domain(drmserver)
8
9# Perform Binder IPC to system server.
10binder_use(drmserver)
11binder_call(drmserver, system_server)
12binder_call(drmserver, appdomain)
13binder_call(drmserver, mediametrics)
14binder_service(drmserver)
15# Inherit or receive open files from system_server.
16allow drmserver system_server:fd use;
17
18# Perform Binder IPC to mediaserver
19binder_call(drmserver, mediaserver)
20
21allow drmserver sdcard_type:dir search;
22allow drmserver drm_data_file:dir create_dir_perms;
23allow drmserver drm_data_file:file create_file_perms;
24allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
25allow drmserver sdcard_type:file { read write getattr map };
26r_dir_file(drmserver, efs_file)
27
28type drmserver_socket, file_type;
29
30# /data/app/tlcd_sock socket file.
31# Clearly, /data/app is the most logical place to create a socket.  Not.
32allow drmserver apk_data_file:dir rw_dir_perms;
33auditallow drmserver apk_data_file:dir { add_name write };
34allow drmserver drmserver_socket:sock_file create_file_perms;
35auditallow drmserver drmserver_socket:sock_file create;
36# Delete old socket file if present.
37allow drmserver apk_data_file:sock_file unlink;
38
39# After taking a video, drmserver looks at the video file.
40r_dir_file(drmserver, media_rw_data_file)
41
42# Read resources from open apk files passed over Binder.
43allow drmserver apk_data_file:file { read getattr map };
44allow drmserver asec_apk_file:file { read getattr map };
45allow drmserver ringtone_file:file { read getattr map };
46
47# Read /data/data/com.android.providers.telephony files passed over Binder.
48allow drmserver radio_data_file:file { read getattr map };
49
50# /oem access
51allow drmserver oemfs:dir search;
52allow drmserver oemfs:file r_file_perms;
53
54# overlay package access
55allow drmserver vendor_overlay_file:file { read map };
56
57add_service(drmserver, drmserver_service)
58allow drmserver permission_service:service_manager find;
59allow drmserver mediametrics_service:service_manager find;
60
61selinux_check_access(drmserver)
62
63r_dir_file(drmserver, cgroup)
64r_dir_file(drmserver, cgroup_v2)
65r_dir_file(drmserver, system_file)
66