1# HwBinder IPC from client to server, and callbacks 2binder_use(hal_drm_server) 3binder_call(hal_drm_client, hal_drm_server) 4binder_call(hal_drm_server, hal_drm_client) 5 6hal_attribute_hwservice(hal_drm, hal_drm_hwservice) 7hal_attribute_service(hal_drm, hal_drm_service) 8 9allow hal_drm hidl_memory_hwservice:hwservice_manager find; 10 11# Required by Widevine DRM (b/22990512) 12allow hal_drm self:process execmem; 13 14# Permit reading device's serial number from system properties 15get_prop(hal_drm, serialno_prop) 16 17# Read files already opened under /data 18allow hal_drm system_data_file:file { getattr read }; 19 20# Read access to pseudo filesystems 21r_dir_file(hal_drm, cgroup) 22allow hal_drm cgroup:dir { search write }; 23allow hal_drm cgroup:file w_file_perms; 24 25r_dir_file(hal_drm, cgroup_v2) 26allow hal_drm cgroup_v2:dir { search write }; 27allow hal_drm cgroup_v2:file w_file_perms; 28 29# Allow access to ion memory allocation device 30allow hal_drm ion_device:chr_file rw_file_perms; 31allow hal_drm hal_graphics_allocator:fd use; 32 33# Allow access to hidl_memory allocation service 34allow hal_drm hal_allocator_server:fd use; 35 36# Allow access to fds allocated by mediaserver 37allow hal_drm mediaserver:fd use; 38 39allow hal_drm sysfs:file r_file_perms; 40 41allow hal_drm tee_device:chr_file rw_file_perms; 42 43allow hal_drm_server { appdomain -isolated_app }:fd use; 44 45# only allow unprivileged socket ioctl commands 46allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket } 47 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 48 49### 50### neverallow rules 51### 52 53# hal_drm should never execute any executable without a 54# domain transition 55neverallow hal_drm_server { file_type fs_type }:file execute_no_trans; 56 57# do not allow privileged socket ioctl commands 58neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 59