diff options
author | Riley Spahn <rileyspahn@google.com> | 2014-07-02 12:42:59 -0700 |
---|---|---|
committer | Riley Spahn <rileyspahn@google.com> | 2014-07-24 13:36:38 -0700 |
commit | 70f75ce9e5975df47d0ccb32660bb618c22ef181 (patch) | |
tree | 8aa6176d7d76f0dfa99b3f56763c848dedf510b1 | |
parent | ba992496f01e40a10d9749bb25b6498138e607fb (diff) | |
download | sepolicy-70f75ce9e5975df47d0ccb32660bb618c22ef181.tar.gz |
Add fine grained access control to DrmManagerService.
Add policies supporting SELinux MAC in DrmManagerservice.
Add drmservice class with verbs for each of the
functions exposed by drmservice.
Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
-rw-r--r-- | access_vectors | 11 | ||||
-rw-r--r-- | drmserver.te | 2 | ||||
-rw-r--r-- | mediaserver.te | 12 | ||||
-rw-r--r-- | security_classes | 1 | ||||
-rw-r--r-- | te_macros | 10 |
5 files changed, 36 insertions, 0 deletions
diff --git a/access_vectors b/access_vectors index 1b26bce..659fb36 100644 --- a/access_vectors +++ b/access_vectors @@ -921,3 +921,14 @@ class debuggerd dump_tombstone dump_backtrace } + +class drmservice { + consumeRights + setPlaybackStatus + openDecryptSession + closeDecryptSession + initializeDecryptUnit + decrypt + finalizeDecryptUnit + pread +} diff --git a/drmserver.te b/drmserver.te index 14b2f49..2a146b6 100644 --- a/drmserver.te +++ b/drmserver.te @@ -54,3 +54,5 @@ auditallow drmserver { -drmserver_service -system_server_service }:service_manager find; + +selinux_check_access(drmserver) diff --git a/mediaserver.te b/mediaserver.te index 52c593e..3eb078d 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -89,3 +89,15 @@ auditallow mediaserver { -system_server_service -surfaceflinger_service }:service_manager find; + +use_drmservice(mediaserver) +allow mediaserver drmserver:drmservice { + consumeRights + setPlaybackStatus + openDecryptSession + closeDecryptSession + initializeDecryptUnit + decrypt + finalizeDecryptUnit + pread +}; diff --git a/security_classes b/security_classes index ca8f468..9cd3f1c 100644 --- a/security_classes +++ b/security_classes @@ -146,4 +146,5 @@ class keystore_key # userspace # debuggerd service class debuggerd # userspace +class drmservice # userspace # FLASK @@ -367,3 +367,13 @@ define(`use_keystore', ` define(`service_manager_local_audit_domain', ` typeattribute $1 service_manager_local_audit; ') + +########################################### +# use_drmservice(domain) +# Ability to use DrmService which requires +# DrmService to call getpidcon. +define(`use_drmservice', ` + allow drmserver $1:dir search; + allow drmserver $1:file { read open }; + allow drmserver $1:process getattr; +') |