[ALPS03853366] Fix kisd sepolicy issue for android p[1/3]

[Detail]
Move kisd from system to vendor and add keymanage hidl
[Solution]
Modify related sepolicy in device/mediatek/sepolicy/basic

MTK-Commit-Id: c1826ac0bdcc18a4e6d3298e73514801a35a09ad

Change-Id: Iee4b65ba5addc5a21de53e76d3bb092e2f37ab01
CR-Id: ALPS03853366
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK

non_plat/mediaserver.te

@@ -349,11 +349,6 @@ allow mediaserver camera_owe_device:chr_file rw_file_perms;
 # Purpose : m4u Driver
 #allow mediaserver proc:file r_file_perms;
 
-# Date : WK17.29
-# Operation : O Migration
-# Purpose : hdcp
-allow mediaserver kisd:unix_stream_socket connectto;
-
 # Date : WK17.30
 # Operation : O Migration
 # Purpose: Allow to access cmdq driver
@@ -386,3 +381,12 @@ allow mediaserver camera_mfb_device:chr_file rw_file_perms;
 # Purpose : Allow permgr access
 allow mediaserver proc_perfmgr:dir {read search};
 allow mediaserver proc_perfmgr:file {open read ioctl};
+
+# Date : WK18.18
+# Operation : Migration
+# Purpose : wifidisplay hdcp
+# DRM Key Manage HIDL
+allow mediaserver  mtk_hal_keymanage:binder call;
+# Purpose : Allow mediadrmserver  to call vendor.mediatek.hardware.keymanage@1.0-service.
+hal_client_domain(mediaserver , hal_keymaster)
+allow mediaserver mtk_hal_keymanage_hwservice:hwservice_manager find;

plat_private/file_contexts

@@ -23,7 +23,7 @@
 /system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0
 /system/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0
 /system/bin/meta_tst u:object_r:meta_tst_exec:s0
-/system/bin/kisd u:object_r:kisd_exec:s0
+/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0
 /system/bin/factory u:object_r:factory_exec:s0
 /system/bin/pre_meta u:object_r:pre_meta_exec:s0
 
@@ -32,7 +32,7 @@
 /(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0
 
 # kisd for Key Manager
-#/data/key_provisioning(/.*)?   u:object_r:key_install_data_file:s0
+/data/vendor/key_provisioning(/.*)?   u:object_r:key_install_data_file:s0
 
 # storagemanager daemon
 # it is used to mount all storages in meta/factory mode

plat_private/kisd.te

@@ -1,13 +1,13 @@
 # ==============================================
-# Policy File of /system/bin/kisd Executable File
+# Policy File of /vendor/bin/kisd Executable File
 
 
 # ==============================================
 # Type Declaration
 # ==============================================
 
-type kisd_exec, exec_type, file_type;
+type kisd_exec, exec_type, file_type, vendor_file_type;
-typeattribute kisd coredomain;
+typeattribute kisd mlstrustedsubject;
 
 # ==============================================
 # MTK Policy Rule
@@ -16,22 +16,17 @@ typeattribute kisd coredomain;
 init_daemon_domain(kisd)
 
 allow kisd tee_device:chr_file {read write open ioctl};
-typeattribute kisd data_between_core_and_vendor_violators;
+#typeattribute kisd data_between_core_and_vendor_violators;
 allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
 allow kisd provision_file:file {create read write open getattr unlink};
 allow kisd system_file:file {execute_no_trans};
-allow kisd shell_exec:file {read open getattr execute execute_no_trans};
-allow kisd toolbox_exec:file {read open getattr execute execute_no_trans};
-allow kisd vendor_toolbox_exec:file getattr;
 allow kisd block_device:dir {read write open ioctl search};
 allow kisd kb_block_device:blk_file {read write open ioctl getattr};
 allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
 allow kisd key_install_data_file:dir {write remove_name add_name};
 allow kisd key_install_data_file:file {write getattr read create unlink open};
 allow kisd key_install_data_file:dir search;
-#allow kisd self:capability {dac_override dac_read_search};
 allow kisd mtd_device:chr_file { open read write };
 allow kisd mtd_device:dir { search };
 allow kisd kb_block_device:chr_file {read write open ioctl getattr};
 allow kisd dkb_block_device:chr_file {read write open ioctl getattr};
-

plat_private/meta_tst.te

@@ -31,7 +31,6 @@ allow meta_tst sysfs_wake_lock:file rw_file_perms;
 allow meta_tst property_socket:sock_file w_file_perms;
 #allow meta_tst vold_socket:sock_file w_file_perms;
 allow meta_tst init:unix_stream_socket connectto;
-allow meta_tst kisd:unix_stream_socket connectto;
 allow meta_tst vold:unix_stream_socket connectto;
 allow meta_tst node:tcp_socket node_bind;
 allow meta_tst labeledfs:filesystem unmount;

plat_public/kisd.te

@@ -1,5 +1,5 @@
 # ==============================================
-# Policy File of /system/bin/kisd Executable File
+# Policy File of /vendor/bin/kisd Executable File
 
 
 # ==============================================

prebuilts/api/26.0/nonplat_sepolicy.cil

@@ -8580,7 +8580,6 @@
 (allow mediaserver_26_0 sw_sync_device (chr_file (ioctl read write getattr lock append open)))
 (allow mediaserver_26_0 camera_owe_device (chr_file (ioctl read write getattr lock append open)))
 (allow mediaserver_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 kisd_26_0 (unix_stream_socket (connectto)))
 (allow mediaserver_26_0 mtk_cmdq_device (chr_file (ioctl read open)))
 (allow meta_tst_26_0 ttyGS_device (chr_file (ioctl read write getattr lock append open)))
 (allow meta_tst_26_0 ttyMT_device (chr_file (ioctl read write getattr lock append open)))

prebuilts/api/26.0/plat_private/file_contexts

@@ -22,7 +22,7 @@
 /system/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0
 /system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0
 /system/bin/meta_tst u:object_r:meta_tst_exec:s0
-/system/bin/kisd u:object_r:kisd_exec:s0
+/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0
 /system/bin/pre_meta u:object_r:pre_meta_exec:s0
 /system/bin/factory u:object_r:factory_exec:s0
 

prebuilts/api/26.0/plat_private/kisd.te

@@ -1,13 +1,13 @@
 # ==============================================
-# Policy File of /system/bin/kisd Executable File
+# Policy File of /vendor/bin/kisd Executable File
 
 
 # ==============================================
 # Type Declaration
 # ==============================================
 
-type kisd_exec, exec_type, file_type;
+type kisd_exec, exec_type, file_type, vendor_file_type;
-typeattribute kisd coredomain;
+typeattribute kisd mlstrustedsubject;
 
 # ==============================================
 # MTK Policy Rule
@@ -20,16 +20,13 @@ typeattribute kisd data_between_core_and_vendor_violators;
 allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
 allow kisd provision_file:file {create read write open getattr unlink};
 allow kisd system_file:file {execute_no_trans};
-allow kisd shell_exec:file {read open getattr};
 allow kisd block_device:dir {read write open ioctl search};
 allow kisd kb_block_device:blk_file {read write open ioctl getattr};
 allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
 allow kisd key_install_data_file:dir {write remove_name add_name};
 allow kisd key_install_data_file:file {write getattr read create unlink open};
 allow kisd key_install_data_file:dir search;
-#allow kisd self:capability {dac_override dac_read_search};
 allow kisd mtd_device:chr_file { open read write };
 allow kisd mtd_device:dir { search };
 allow kisd kb_block_device:chr_file {read write open ioctl getattr};
 allow kisd dkb_block_device:chr_file {read write open ioctl getattr};
-

prebuilts/api/26.0/plat_private/meta_tst.te

@@ -31,7 +31,6 @@ allow meta_tst sysfs_wake_lock:file rw_file_perms;
 allow meta_tst property_socket:sock_file w_file_perms;
 #allow meta_tst vold_socket:sock_file w_file_perms;
 allow meta_tst init:unix_stream_socket connectto;
-allow meta_tst kisd:unix_stream_socket connectto;
 allow meta_tst vold:unix_stream_socket connectto;
 allow meta_tst node:tcp_socket node_bind;
 allow meta_tst labeledfs:filesystem unmount;

prebuilts/api/26.0/plat_public/kisd.te

@@ -1,5 +1,5 @@
 # ==============================================
-# Policy File of /system/bin/kisd Executable File
+# Policy File of /vendor/bin/kisd Executable File
 
 
 # ==============================================