From 583196d1e85da5fb5465e7751dbfe18ec4fea57d Mon Sep 17 00:00:00 2001 From: mtk12101 Date: Sat, 18 Jan 2020 10:05:59 +0800 Subject: [PATCH] [ALPS03982747] Add widevine sepolicy rules Widevine provides a script in /vendor/widevine/ libwvdrmengine/move_widevine_data.sh that copies the data files from /data to /data/vendor. Some sepolicy rules are required to enable the device to run this script. MTK-Commit-Id: f7aba378699fc68e4e10ed2ed2b812c1e502e66f Change-Id: I2731ad21da180a1a5f927c5631dcc579da1dc314 CR-Id: ALPS03982747 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK --- non_plat/file_contexts | 1 + non_plat/move-widevine-data-sh.te | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 non_plat/move-widevine-data-sh.te diff --git a/non_plat/file_contexts b/non_plat/file_contexts index 95238ba..7912d3f 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -575,6 +575,7 @@ /(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.imsa@1\.0-service u:object_r:mtk_hal_imsa_exec:s0 #Widevine drm hal /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service.widevine u:object_r:hal_drm_widevine_exec:s0 +/system/bin/move_widevine_data\.sh u:object_r:move-widevine-data-sh_exec:s0 #PQ hal /(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.pq@2\.2-service u:object_r:mtk_hal_pq_exec:s0 # Keymaster Attestation Hal diff --git a/non_plat/move-widevine-data-sh.te b/non_plat/move-widevine-data-sh.te new file mode 100644 index 0000000..dd830f5 --- /dev/null +++ b/non_plat/move-widevine-data-sh.te @@ -0,0 +1,19 @@ +type move-widevine-data-sh, domain, coredomain; +type move-widevine-data-sh_exec, exec_type, file_type; +init_daemon_domain(move-widevine-data-sh); + +typeattribute move-widevine-data-sh data_between_core_and_vendor_violators; + +allow move-widevine-data-sh shell_exec:file rx_file_perms; +allow move-widevine-data-sh toolbox_exec:file rx_file_perms; + +allow move-widevine-data-sh file_contexts_file:file { read getattr open }; + +allow move-widevine-data-sh media_data_file:file { getattr setattr relabelfrom }; +allow move-widevine-data-sh media_data_file:dir { reparent rename rmdir setattr rw_dir_perms relabelfrom }; + +allow move-widevine-data-sh mediadrm_vendor_data_file:dir { create_dir_perms relabelto }; + +# for writing files_moved so we only execute the move once +allow move-widevine-data-sh mediadrm_vendor_data_file:file { create open write getattr relabelto }; +