Commits

Robert Craig committed 63008e6

Yet another mako policy (YAMP)

- Updates to some property service policy for
both bluetooth and net manager

- Updates to tee and drm access

Change-Id: I0d634dd437ea717b4ad38be93c3993bbe55e49a9
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Comments (0)

Files changed (10)

 
 BOARD_SEPOLICY_UNION += \
 	file_contexts \
+	property_contexts \
 	te_macros \
 	bluetooth_loader.te \
 	bridge.te \
 	device.te \
 	dhcp.te \
 	domain.te \
+	drmserver.te \
 	file.te \
 	kickstart.te \
 	init.te \
 	mediaserver.te \
 	mpdecision.te \
 	netmgrd.te \
+	property.te \
 	qmux.te \
 	rild.te \
 	rmt.te \
     restorecon /persist/bluetooth/.bdaddr
     restorecon /persist/playready
     restorecon /persist/playready/dxhdcp2
+    restorecon /persist/playready/dxhdcp2/acGSIRU1TX-2o-nJ69e1aFGgUxE_
+    restorecon /persist/playready/dxhdcp2/acGSIRU1TX-2o-nJ69e1aFGgUxE_/etK7oituoft7bxrO5H7GIVuhEQM_
+    restorecon /persist/playready/dxhdcp2/acGSIRU1TX-2o-nJ69e1aFGgUxE_/zttE+GVYd9YzREzMHiKY-IlERZM_
     restorecon /persist/sensors
     restorecon /persist/sensors/sns.reg
     restorecon /persist/widevine
+    restorecon /persist/widevine/5dsokxEEDXgQhkN50bp-Z2K5InM_
+    restorecon /persist/widevine/5dsokxEEDXgQhkN50bp-Z2K5InM_/RXFABDUxyT6Q+Zwx9ZhPGOq2Bq8_
+    restorecon /persist/widevine/5dsokxEEDXgQhkN50bp-Z2K5InM_/D3qpp0bxmJhbiZwIsCbXJ1434rc_
     restorecon /persist/wifi
     restorecon /persist/wifi/.macaddr
     setprop ro.crypto.fuse_sdcard true
 # to observe dnsmasq.leases file for dhcp information of soft ap.
     chown dhcp system /data/misc/dhcp
 
+    mkdir /data/misc/playready
+    restorecon /data/misc/playready
+    mkdir /data/misc/tzapps
+    restorecon /data/misc/tzapps
+
     write /dev/wcnss_wlan 1
     write /sys/module/wcnss_ssr_8960/parameters/enable_riva_ssr 1
 

sepolicy/bluetooth_loader.te

 
 # Talk to init over the property socket
 unix_socket_connect(bluetooth_loader, property, init)
+# Set persist.service.bdroid.* and bluetooth.* property values
+allow { bluetooth bluetooth_loader } bluetooth_prop:property_service set;
 
 # Shared memory node access
 allow hci_attach bluetooth_device:chr_file rw_file_perms;
 
 # Allow getprop/setprop for init.mako.bt.sh
 allow bluetooth_loader system_file:file execute_no_trans;
-
-# Allow bdAddrLoader to set bluetooth property value
-allow bluetooth_loader system_prop:property_service set;

sepolicy/drmserver.te

+# Drm wants to read /firmware/image/tzapps.mdt
+r_dir_file(drmserver, radio_efs_file)

sepolicy/file_contexts

 /data/nfc(/.*)?                u:object_r:nfc_data_file:s0
 /data/qcks(/.*)?               u:object_r:kickstart_data_file:s0
 /data/misc/sensors(/.*)?       u:object_r:sensors_data_file:s0
+/data/misc/playready(/.*)?     u:object_r:drm_data_file:s0
+/data/misc/tzapps(/.*)?        u:object_r:tee_data_file:s0
 /data/system/sensors(/.*)?     u:object_r:sensors_data_file:s0
 
 # System binaries

sepolicy/mediaserver.te

 allow mediaserver audio_data_file:dir w_dir_perms;
 allow mediaserver audio_data_file:file create_file_perms;
+allow mediaserver camera_data_file:sock_file w_file_perms;
 
 qmux_socket(mediaserver)
 

sepolicy/netmgrd.te

 
 # Talk to init over the property socket
 unix_socket_connect(netmgrd, property, init)
+# Set net.rmnet_usb0. values
+allow netmgrd radio_prop:property_service set;

sepolicy/property.te

+type bluetooth_prop, property_type;

sepolicy/property_contexts

+persist.service.bdroid.         u:object_r:bluetooth_prop:s0
+bluetooth.                      u:object_r:bluetooth_prop:s0
+net.rmnet_usb0.                 u:object_r:radio_prop:s0
+# Qualcomm Secure Execution Environment Communicator policy
 allow tee self:process execmem;
+
+# Access /data/misc/playready
+allow tee system_data_file:dir { open read };
+allow tee drm_data_file:dir rw_dir_perms;
+allow tee drm_data_file:file rw_file_perms;
+
+# Access /persist/{widevine,playready}
+allow tee persist_file:dir search;
+allow tee persist_drm_file:dir r_dir_perms;
+allow tee persist_drm_file:file r_file_perms;