resolved conflicts for merge of 92b9360c to lmp-dev-plus-aosp

Change-Id: I16eca0cac13042f9ed2e1484e6aa25f233508aa9

access_vectors

@@ -921,3 +921,14 @@ class debuggerd
 	dump_tombstone
 	dump_backtrace
 }
+
+class drmservice {
+	consumeRights
+	setPlaybackStatus
+	openDecryptSession
+	closeDecryptSession
+	initializeDecryptUnit
+	decrypt
+	finalizeDecryptUnit
+	pread
+}

drmserver.te

@@ -46,3 +46,5 @@ allow drmserver asec_apk_file:file { read getattr };
 allow drmserver radio_data_file:file { read getattr };
 
 allow drmserver drmserver_service:service_manager add;
+
+selinux_check_access(drmserver)

mediaserver.te

@@ -79,3 +79,15 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
 allow mediaserver tee:unix_stream_socket connectto;
 
 allow mediaserver mediaserver_service:service_manager add;
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+    consumeRights
+    setPlaybackStatus
+    openDecryptSession
+    closeDecryptSession
+    initializeDecryptUnit
+    decrypt
+    finalizeDecryptUnit
+    pread
+};

security_classes

@@ -146,4 +146,5 @@ class keystore_key              # userspace
 # debuggerd service
 class debuggerd                 # userspace
 
+class drmservice                # userspace
 # FLASK

te_macros

@@ -358,3 +358,13 @@ define(`use_keystore', `
   allow keystore $1:process getattr;
   binder_call($1, keystore)
 ')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+  allow drmserver $1:dir search;
+  allow drmserver $1:file { read open };
+  allow drmserver $1:process getattr;
+')