Add selinux policy for hdcpd.

Tracked-On: OAM-73644 Signed-off-by: Huang, Yuanjun <[email protected]>
projectceladon · Dec 19, 2018 · 013e3df · 013e3df
1 parent 83a7d3f
commit 013e3df
Show file tree

Hide file tree

Showing 8 changed files with 86 additions and 0 deletions.
diff --git a/sepolicy/graphics/project-celadon/hdcpd.te b/sepolicy/graphics/project-celadon/hdcpd.te
@@ -0,0 +1,6 @@
+#
+# hdcpd
+#
+
+#gfx
+#allow hdcpd sysfs_gfx:file rw_file_perms;
diff --git a/sepolicy/hdcpd/file.te b/sepolicy/hdcpd/file.te
@@ -0,0 +1,2 @@
+ # hdcp
+ type hdcpd_data_file, file_type, data_file_type;
diff --git a/sepolicy/hdcpd/file_contexts b/sepolicy/hdcpd/file_contexts
@@ -0,0 +1,6 @@
+# hdcpd
+(/system)?/vendor/bin/hdcpd    u:object_r:hdcpd_exec:s0
+
+# Even though hdcpd creates this itself, we keep a fc entry
+# incase we need to relabel existing nodes
+/data/hdcp(/.*)?            u:object_r:hdcpd_data_file:s0
diff --git a/sepolicy/hdcpd/hdcpd.te b/sepolicy/hdcpd/hdcpd.te
@@ -0,0 +1,40 @@
+# Rules for system/bin/dhcpd
+type hdcpd, domain;
+type hdcpd_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(hdcpd);
+
+# need use vendor binder to access msync service
+vndbinder_use(hdcpd)
+not_full_treble(`
+  binder_call(hdcpd, surfaceflinger)
+
+  # Find hwc.info service from surfaceflinger
+  allow hdcpd surfaceflinger_service:service_manager find;
+')
+
+allow hdcpd hwc_info_service:service_manager find;
+binder_call(hdcpd, hal_graphics_composer_default)
+
+allow hdcpd self:netlink_kobject_uevent_socket create_socket_perms;
+allowxperm hdcpd self:netlink_kobject_uevent_socket ioctl SIOCETHTOOL;
+
+# sysfs access
+allow hdcpd sysfs:dir r_dir_perms;
+allow hdcpd sysfs:file r_file_perms;
+
+# gpu_device
+allow hdcpd gpu_device:dir r_dir_perms;
+allow hdcpd gpu_device:chr_file rw_file_perms;
+
+# self generated /data/hdcp
+allow hdcpd system_data_file:dir ra_dir_perms;
+type_transition hdcpd system_data_file:dir hdcpd_data_file;
+allow hdcpd hdcpd_data_file:dir create_dir_perms;
+allow hdcpd hdcpd_data_file:{ file sock_file } create_file_perms;
+
+# tmpfs
+allow hdcpd tmpfs:dir w_dir_perms;
+allow hdcpd hdcpd_tmpfs:file create_file_perms;
+
+allow hdcpd proc_graphics:file r_file_perms;
+
diff --git a/sepolicy/hdcpd/mediadrmserver.te b/sepolicy/hdcpd/mediadrmserver.te
@@ -0,0 +1,11 @@
+#
+# mediadrmserver
+#
+
+# breaks treble as mediadrmserver should be instrumented to a
+# vendor hal interface.
+not_full_treble(`
+  allow mediadrmserver hdcpd:unix_stream_socket connectto;
+  allow mediadrmserver hdcpd_data_file:dir search;
+  allow mediadrmserver hdcpd_data_file:sock_file write;
+')
diff --git a/sepolicy/hdcpd/mediaserver.te b/sepolicy/hdcpd/mediaserver.te
@@ -0,0 +1,9 @@
+#
+# mediaserver
+#
+
+not_full_treble(`
+  allow mediaserver hdcpd:unix_stream_socket connectto;
+  allow mediaserver hdcpd_data_file:sock_file write;
+  allow mediaserver hdcpd_data_file:dir { search };
+')
diff --git a/sepolicy/hdcpd/vendor_init.te b/sepolicy/hdcpd/vendor_init.te
@@ -0,0 +1 @@
+allow vendor_init hdcpd_data_file:dir create_dir_perms;
diff --git a/sepolicy/hdcpd/violators_blacklist.te b/sepolicy/hdcpd/violators_blacklist.te
@@ -0,0 +1,11 @@
+typeattribute hdcpd data_between_core_and_vendor_violators;
+
+#FAILED: out/target/product/gordon_peak/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests
+#The following types in proc must be associated with the "proc_type" attribute: proc_graphics
+typeattribute proc_graphics proc_type;
+
+#make sepolicy_tests error:
+#The following types on /data/ must be associated with the "core_data_file_type" attribute: hdcpd_data_file
+typeattribute hdcpd_data_file core_data_file_type;
+
+typeattribute vendor_init data_between_core_and_vendor_violators;