NekoSakura/android_device_mediatek_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[ALPS03982747] Add widevine sepolicy rules

Browse Source 
Widevine provides a script in /vendor/widevine/
libwvdrmengine/move_widevine_data.sh that copies
the data files from /data to /data/vendor. Some
sepolicy rules are required to enable the device
to run this script.

MTK-Commit-Id: f7aba378699fc68e4e10ed2ed2b812c1e502e66f

Change-Id: I2731ad21da180a1a5f927c5631dcc579da1dc314
CR-Id: ALPS03982747
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
This commit is contained in:
mtk12101 2020-01-18 10:05:59 +08:00 committed by Shan Zhang
parent 4586efdd5a
commit 583196d1e8
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
non_plat/file_contexts
View File

@ -575,6 +575,7 @@
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.imsa@1\.0-service u:object_r:mtk_hal_imsa_exec:s0
#Widevine drm hal
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service.widevine u:object_r:hal_drm_widevine_exec:s0
/system/bin/move_widevine_data\.sh u:object_r:move-widevine-data-sh_exec:s0
#PQ hal
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.pq@2\.2-service u:object_r:mtk_hal_pq_exec:s0
# Keymaster Attestation Hal

19
non_plat/move-widevine-data-sh.te Normal file
View File

@ -0,0 +1,19 @@
type move-widevine-data-sh, domain, coredomain;
type move-widevine-data-sh_exec, exec_type, file_type;
init_daemon_domain(move-widevine-data-sh);
typeattribute move-widevine-data-sh data_between_core_and_vendor_violators;
allow move-widevine-data-sh shell_exec:file rx_file_perms;
allow move-widevine-data-sh toolbox_exec:file rx_file_perms;
allow move-widevine-data-sh file_contexts_file:file { read getattr open };
allow move-widevine-data-sh media_data_file:file { getattr setattr relabelfrom };
allow move-widevine-data-sh media_data_file:dir { reparent rename rmdir setattr rw_dir_perms relabelfrom };
allow move-widevine-data-sh mediadrm_vendor_data_file:dir { create_dir_perms relabelto };
# for writing files_moved so we only execute the move once
allow move-widevine-data-sh mediadrm_vendor_data_file:file { create open write getattr relabelto };