From dd229ac506add7849cac2099f1d2035083a09e67 Mon Sep 17 00:00:00 2001
From: mtk14717 <yifei.qiao@mediatek.com>
Date: Sat, 18 Jan 2020 09:45:51 +0800
Subject: [PATCH] [ALPS03853366] Fix kisd sepolicy issue for android p[1/3]

[Detail]
Move kisd from system to vendor and add keymanage hidl
[Solution]
Modify related sepolicy in device/mediatek/sepolicy/basic

MTK-Commit-Id: c1826ac0bdcc18a4e6d3298e73514801a35a09ad

Change-Id: Iee4b65ba5addc5a21de53e76d3bb092e2f37ab01
CR-Id: ALPS03853366
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
---
 non_plat/mediaserver.te                       | 14 +++++++++-----
 plat_private/file_contexts                    |  4 ++--
 plat_private/kisd.te                          | 13 ++++---------
 plat_private/meta_tst.te                      |  1 -
 plat_public/kisd.te                           |  2 +-
 prebuilts/api/26.0/nonplat_sepolicy.cil       |  1 -
 prebuilts/api/26.0/plat_private/file_contexts |  4 ++--
 prebuilts/api/26.0/plat_private/kisd.te       |  9 +++------
 prebuilts/api/26.0/plat_private/meta_tst.te   |  1 -
 prebuilts/api/26.0/plat_public/kisd.te        |  2 +-
 10 files changed, 22 insertions(+), 29 deletions(-)

diff --git a/non_plat/mediaserver.te b/non_plat/mediaserver.te
index ad2b015..223c0a2 100644
--- a/non_plat/mediaserver.te
+++ b/non_plat/mediaserver.te
@@ -349,11 +349,6 @@ allow mediaserver camera_owe_device:chr_file rw_file_perms;
 # Purpose : m4u Driver
 #allow mediaserver proc:file r_file_perms;
 
-# Date : WK17.29
-# Operation : O Migration
-# Purpose : hdcp
-allow mediaserver kisd:unix_stream_socket connectto;
-
 # Date : WK17.30
 # Operation : O Migration
 # Purpose: Allow to access cmdq driver
@@ -386,3 +381,12 @@ allow mediaserver camera_mfb_device:chr_file rw_file_perms;
 # Purpose : Allow permgr access
 allow mediaserver proc_perfmgr:dir {read search};
 allow mediaserver proc_perfmgr:file {open read ioctl};
+
+# Date : WK18.18
+# Operation : Migration
+# Purpose : wifidisplay hdcp
+# DRM Key Manage HIDL
+allow mediaserver  mtk_hal_keymanage:binder call;
+# Purpose : Allow mediadrmserver  to call vendor.mediatek.hardware.keymanage@1.0-service.
+hal_client_domain(mediaserver , hal_keymaster)
+allow mediaserver mtk_hal_keymanage_hwservice:hwservice_manager find;
diff --git a/plat_private/file_contexts b/plat_private/file_contexts
index e2a7333..40de9e6 100644
--- a/plat_private/file_contexts
+++ b/plat_private/file_contexts
@@ -23,7 +23,7 @@
 /system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0
 /system/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0
 /system/bin/meta_tst u:object_r:meta_tst_exec:s0
-/system/bin/kisd u:object_r:kisd_exec:s0
+/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0
 /system/bin/factory u:object_r:factory_exec:s0
 /system/bin/pre_meta u:object_r:pre_meta_exec:s0
 
@@ -32,7 +32,7 @@
 /(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0
 
 # kisd for Key Manager
-#/data/key_provisioning(/.*)?   u:object_r:key_install_data_file:s0
+/data/vendor/key_provisioning(/.*)?   u:object_r:key_install_data_file:s0
 
 # storagemanager daemon
 # it is used to mount all storages in meta/factory mode
diff --git a/plat_private/kisd.te b/plat_private/kisd.te
index 68c04a5..59d6a00 100644
--- a/plat_private/kisd.te
+++ b/plat_private/kisd.te
@@ -1,13 +1,13 @@
 # ==============================================
-# Policy File of /system/bin/kisd Executable File
+# Policy File of /vendor/bin/kisd Executable File
 
 
 # ==============================================
 # Type Declaration
 # ==============================================
 
-type kisd_exec, exec_type, file_type;
-typeattribute kisd coredomain;
+type kisd_exec, exec_type, file_type, vendor_file_type;
+typeattribute kisd mlstrustedsubject;
 
 # ==============================================
 # MTK Policy Rule
@@ -16,22 +16,17 @@ typeattribute kisd coredomain;
 init_daemon_domain(kisd)
 
 allow kisd tee_device:chr_file {read write open ioctl};
-typeattribute kisd data_between_core_and_vendor_violators;
+#typeattribute kisd data_between_core_and_vendor_violators;
 allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
 allow kisd provision_file:file {create read write open getattr unlink};
 allow kisd system_file:file {execute_no_trans};
-allow kisd shell_exec:file {read open getattr execute execute_no_trans};
-allow kisd toolbox_exec:file {read open getattr execute execute_no_trans};
-allow kisd vendor_toolbox_exec:file getattr;
 allow kisd block_device:dir {read write open ioctl search};
 allow kisd kb_block_device:blk_file {read write open ioctl getattr};
 allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
 allow kisd key_install_data_file:dir {write remove_name add_name};
 allow kisd key_install_data_file:file {write getattr read create unlink open};
 allow kisd key_install_data_file:dir search;
-#allow kisd self:capability {dac_override dac_read_search};
 allow kisd mtd_device:chr_file { open read write };
 allow kisd mtd_device:dir { search };
 allow kisd kb_block_device:chr_file {read write open ioctl getattr};
 allow kisd dkb_block_device:chr_file {read write open ioctl getattr};
-
diff --git a/plat_private/meta_tst.te b/plat_private/meta_tst.te
index f4da912..c1e00f2 100644
--- a/plat_private/meta_tst.te
+++ b/plat_private/meta_tst.te
@@ -31,7 +31,6 @@ allow meta_tst sysfs_wake_lock:file rw_file_perms;
 allow meta_tst property_socket:sock_file w_file_perms;
 #allow meta_tst vold_socket:sock_file w_file_perms;
 allow meta_tst init:unix_stream_socket connectto;
-allow meta_tst kisd:unix_stream_socket connectto;
 allow meta_tst vold:unix_stream_socket connectto;
 allow meta_tst node:tcp_socket node_bind;
 allow meta_tst labeledfs:filesystem unmount;
diff --git a/plat_public/kisd.te b/plat_public/kisd.te
index cc7bd44..40ae7e3 100644
--- a/plat_public/kisd.te
+++ b/plat_public/kisd.te
@@ -1,5 +1,5 @@
 # ==============================================
-# Policy File of /system/bin/kisd Executable File
+# Policy File of /vendor/bin/kisd Executable File
 
 
 # ==============================================
diff --git a/prebuilts/api/26.0/nonplat_sepolicy.cil b/prebuilts/api/26.0/nonplat_sepolicy.cil
index 1cf7bbb..078909e 100755
--- a/prebuilts/api/26.0/nonplat_sepolicy.cil
+++ b/prebuilts/api/26.0/nonplat_sepolicy.cil
@@ -8580,7 +8580,6 @@
 (allow mediaserver_26_0 sw_sync_device (chr_file (ioctl read write getattr lock append open)))
 (allow mediaserver_26_0 camera_owe_device (chr_file (ioctl read write getattr lock append open)))
 (allow mediaserver_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 kisd_26_0 (unix_stream_socket (connectto)))
 (allow mediaserver_26_0 mtk_cmdq_device (chr_file (ioctl read open)))
 (allow meta_tst_26_0 ttyGS_device (chr_file (ioctl read write getattr lock append open)))
 (allow meta_tst_26_0 ttyMT_device (chr_file (ioctl read write getattr lock append open)))
diff --git a/prebuilts/api/26.0/plat_private/file_contexts b/prebuilts/api/26.0/plat_private/file_contexts
index 1a13a11..2392bc0 100755
--- a/prebuilts/api/26.0/plat_private/file_contexts
+++ b/prebuilts/api/26.0/plat_private/file_contexts
@@ -22,7 +22,7 @@
 /system/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0
 /system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0
 /system/bin/meta_tst u:object_r:meta_tst_exec:s0
-/system/bin/kisd u:object_r:kisd_exec:s0
+/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0
 /system/bin/pre_meta u:object_r:pre_meta_exec:s0
 /system/bin/factory u:object_r:factory_exec:s0
 
@@ -38,4 +38,4 @@
 /system/bin/storagemanagerd u:object_r:storagemanagerd_exec:s0
 
 # For drmserver
-/sys/block/mmcblk0rpmb/size u:object_r:access_sys_file:s0
\ No newline at end of file
+/sys/block/mmcblk0rpmb/size u:object_r:access_sys_file:s0
diff --git a/prebuilts/api/26.0/plat_private/kisd.te b/prebuilts/api/26.0/plat_private/kisd.te
index 856859b..0b9efbb 100755
--- a/prebuilts/api/26.0/plat_private/kisd.te
+++ b/prebuilts/api/26.0/plat_private/kisd.te
@@ -1,13 +1,13 @@
 # ==============================================
-# Policy File of /system/bin/kisd Executable File
+# Policy File of /vendor/bin/kisd Executable File
 
 
 # ==============================================
 # Type Declaration
 # ==============================================
 
-type kisd_exec, exec_type, file_type;
-typeattribute kisd coredomain;
+type kisd_exec, exec_type, file_type, vendor_file_type;
+typeattribute kisd mlstrustedsubject;
 
 # ==============================================
 # MTK Policy Rule
@@ -20,16 +20,13 @@ typeattribute kisd data_between_core_and_vendor_violators;
 allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
 allow kisd provision_file:file {create read write open getattr unlink};
 allow kisd system_file:file {execute_no_trans};
-allow kisd shell_exec:file {read open getattr};
 allow kisd block_device:dir {read write open ioctl search};
 allow kisd kb_block_device:blk_file {read write open ioctl getattr};
 allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
 allow kisd key_install_data_file:dir {write remove_name add_name};
 allow kisd key_install_data_file:file {write getattr read create unlink open};
 allow kisd key_install_data_file:dir search;
-#allow kisd self:capability {dac_override dac_read_search};
 allow kisd mtd_device:chr_file { open read write };
 allow kisd mtd_device:dir { search };
 allow kisd kb_block_device:chr_file {read write open ioctl getattr};
 allow kisd dkb_block_device:chr_file {read write open ioctl getattr};
-
diff --git a/prebuilts/api/26.0/plat_private/meta_tst.te b/prebuilts/api/26.0/plat_private/meta_tst.te
index f4da912..c1e00f2 100755
--- a/prebuilts/api/26.0/plat_private/meta_tst.te
+++ b/prebuilts/api/26.0/plat_private/meta_tst.te
@@ -31,7 +31,6 @@ allow meta_tst sysfs_wake_lock:file rw_file_perms;
 allow meta_tst property_socket:sock_file w_file_perms;
 #allow meta_tst vold_socket:sock_file w_file_perms;
 allow meta_tst init:unix_stream_socket connectto;
-allow meta_tst kisd:unix_stream_socket connectto;
 allow meta_tst vold:unix_stream_socket connectto;
 allow meta_tst node:tcp_socket node_bind;
 allow meta_tst labeledfs:filesystem unmount;
diff --git a/prebuilts/api/26.0/plat_public/kisd.te b/prebuilts/api/26.0/plat_public/kisd.te
index cc7bd44..40ae7e3 100755
--- a/prebuilts/api/26.0/plat_public/kisd.te
+++ b/prebuilts/api/26.0/plat_public/kisd.te
@@ -1,5 +1,5 @@
 # ==============================================
-# Policy File of /system/bin/kisd Executable File
+# Policy File of /vendor/bin/kisd Executable File
 
 
 # ==============================================