1# HwBinder IPC from client to server, and callbacks 2binder_use(hal_drm_server) 3binder_call(hal_drm_client, hal_drm_server) 4binder_call(hal_drm_server, hal_drm_client) 5 6hal_attribute_hwservice(hal_drm, hal_drm_hwservice) 7hal_attribute_service(hal_drm, hal_drm_service) 8 9allow hal_drm hidl_memory_hwservice:hwservice_manager find; 10 11# Required by Widevine DRM (b/22990512) 12allow hal_drm self:process execmem; 13 14# Permit reading device's serial number from system properties 15get_prop(hal_drm_server, serialno_prop) 16# Permit reading force L3 system property 17get_prop(hal_drm_server, drm_forcel3_prop) 18 19# Read files already opened under /data 20allow hal_drm system_data_file:file { getattr read }; 21 22# Read access to pseudo filesystems 23r_dir_file(hal_drm, cgroup) 24allow hal_drm cgroup:dir { search write }; 25allow hal_drm cgroup:file w_file_perms; 26 27r_dir_file(hal_drm, cgroup_v2) 28allow hal_drm cgroup_v2:dir { search write }; 29allow hal_drm cgroup_v2:file w_file_perms; 30 31# Allow dumpsys Widevine without root 32allow hal_drm_server shell:fd use; 33allow hal_drm_server shell:fifo_file write; 34 35# Allow access to ion memory allocation device 36allow { hal_drm -hal_widevine_system } ion_device:chr_file rw_file_perms; 37allow hal_drm hal_graphics_allocator:fd use; 38 39# Allow access to hidl_memory allocation service 40allow hal_drm hal_allocator_server:fd use; 41 42# Allow access to fds allocated by mediaserver 43allow hal_drm mediaserver:fd use; 44 45allow { hal_drm -hal_widevine_system } sysfs:file r_file_perms; 46 47allow { hal_drm -hal_widevine_system } tee_device:chr_file rw_file_perms; 48 49allow hal_drm_server { appdomain -isolated_app }:fd use; 50 51# Reduce the audit log spam caused by the Rikers anti-root check (b/393637335) 52dontaudit hal_drm system_userdir_file:dir search; 53dontaudit hal_drm system_data_file:dir search; 54 55# only allow unprivileged socket ioctl commands 56allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket } 57 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 58 59### 60### neverallow rules 61### 62 63# hal_drm should never execute any executable without a 64# domain transition 65neverallow hal_drm_server { file_type fs_type }:file execute_no_trans; 66 67# do not allow privileged socket ioctl commands 68neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 69