1typeattribute drmserver coredomain;
2
3init_daemon_domain(drmserver)
4
5type_transition drmserver apk_data_file:sock_file drmserver_socket;
6
7typeattribute drmserver_socket coredomain_socket;
8
9get_prop(drmserver, drm_service_config_prop)
10
11typeattribute drmserver mlstrustedsubject;
12
13net_domain(drmserver)
14
15# Perform Binder IPC to system server.
16binder_use(drmserver)
17binder_call(drmserver, system_server)
18binder_call(drmserver, appdomain)
19binder_call(drmserver, mediametrics)
20binder_service(drmserver)
21# Inherit or receive open files from system_server.
22allow drmserver system_server:fd use;
23
24# Perform Binder IPC to mediaserver
25binder_call(drmserver, mediaserver)
26
27allow drmserver { sdcard_type fuse }:dir search;
28allow drmserver drm_data_file:dir create_dir_perms;
29allow drmserver drm_data_file:file create_file_perms;
30allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
31allow drmserver { sdcard_type fuse }:file { read write getattr map };
32r_dir_file(drmserver, efs_file)
33
34# /data/app/tlcd_sock socket file.
35# Clearly, /data/app is the most logical place to create a socket.  Not.
36allow drmserver apk_data_file:dir rw_dir_perms;
37auditallow drmserver apk_data_file:dir { add_name write };
38allow drmserver drmserver_socket:sock_file create_file_perms;
39auditallow drmserver drmserver_socket:sock_file create;
40# Delete old socket file if present.
41allow drmserver apk_data_file:sock_file unlink;
42
43# After taking a video, drmserver looks at the video file.
44r_dir_file(drmserver, media_rw_data_file)
45
46# Read resources from open apk files passed over Binder.
47allow drmserver apk_data_file:file { read getattr map };
48allow drmserver asec_apk_file:file { read getattr map };
49allow drmserver ringtone_file:file { read getattr map };
50
51# Read /data/data/com.android.providers.telephony files passed over Binder.
52allow drmserver radio_data_file:file { read getattr map };
53
54# /oem access
55allow drmserver oemfs:dir search;
56allow drmserver oemfs:file r_file_perms;
57
58# overlay package access
59allow drmserver vendor_overlay_file:file { read map };
60
61add_service(drmserver, drmserver_service)
62allow drmserver permission_service:service_manager find;
63allow drmserver mediametrics_service:service_manager find;
64
65selinux_check_access(drmserver)
66
67r_dir_file(drmserver, cgroup)
68r_dir_file(drmserver, cgroup_v2)
69r_dir_file(drmserver, system_file)
70