sepolicy: bsp: Fix Netflix widevine L1 denies

Change-Id: I9553462fea01deb7d953d0c885218d3490dcfee7 Reviewed-on: https://review.statixos.com/c/android_device_mediatek_sepolicy_vndr/+/7763 Reviewed-by: Vaisakh Murali <mvaisakh@statixos.com> Tested-by: Vaisakh Murali <mvaisakh@statixos.com>
2022-02-07 14:41:41 +06:00 · 2022-02-07 14:41:41 +06:00 · e24c0688e9
commit e24c0688e9
parent 695d5c0359
2 changed files with 18 additions and 0 deletions
--- a/bsp/non_plat/surfaceflinger.te
+++ b/bsp/non_plat/surfaceflinger.te
@ -94,3 +94,6 @@ allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms_no_m
 # Data: 2021/09/07
 # Purpose: Call NpAgent
 hal_client_domain(surfaceflinger, hal_neuralnetworks)
+
+# Purpose: Netflix Widevine
+allow surfaceflinger teei_client_device:chr_file rw_file_perms;
--- a/bsp/non_plat/untrusted_app.te
+++ b/bsp/non_plat/untrusted_app.te
@ -34,3 +34,18 @@ allow untrusted_app debugfs_ion:dir search;
 # Operation : eMBMS Migration
 # Purpose :allow EXPWAY middleware to access the socket
 allow untrusted_app radio:unix_stream_socket connectto;
+
+# Purpose: Allow untrusted_app to access mdlactl_device and vpu_device
+allow untrusted_app mdla_device:chr_file { rw_file_perms };
+allow untrusted_app vpu_device:chr_file { rw_file_perms };
+
+# Purpose: Allow untrusted_app to access mcdi device
+allow untrusted_app proc_mcdi:dir search;
+allow untrusted_app proc_mcdi:file rw_file_perms;
+allow untrusted_app proc_mcdi:chr_file rw_file_perms;
+
+# Purpose: Netflix Widevine
+allow untrusted_app proc_atf_log:dir search;
+allow untrusted_app proc_m4u:dir search;
+get_prop(untrusted_app, vendor_mtk_microtrust_tee_prop)
+get_prop(untrusted_app, vendor_mtk_trustonic_tee_prop)