Merge "mediaserver drmserver: remove domain_deprecated attribute"

domain_deprecated.te

@@ -14,7 +14,7 @@ auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system
 
 # Inherit or receive open files from others.
 allow domain_deprecated system_server:fd use;
-auditallow { domain_deprecated -appdomain -mediaserver -netd -surfaceflinger } system_server:fd use;
+auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
 
 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.
@@ -41,9 +41,9 @@ auditallow domain_deprecated device:file read;
 allow domain_deprecated system_file:dir r_dir_perms;
 allow domain_deprecated system_file:file r_file_perms;
 allow domain_deprecated system_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:file { ioctl lock }; # read open getattr in domain
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:lnk_file { getattr open ioctl lock }; # read in domain
+auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:dir { open read ioctl lock }; # search getattr in domain
+auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:file { ioctl lock }; # read open getattr in domain
+auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:lnk_file { getattr open ioctl lock }; # read in domain
 
 # Read files already opened under /data.
 allow domain_deprecated system_data_file:file { getattr read };
@@ -78,7 +78,7 @@ auditallow { domain_deprecated -init -system_server -vold } cache_file:lnk_file
 allow domain_deprecated ion_device:chr_file rw_file_perms;
 # split this auditallow into read and write perms since most domains seem to
 # only require read
-auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -keystore -mediaserver -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
 auditallow domain_deprecated ion_device:chr_file { write append };
 
 # Read access to pseudo filesystems.
@@ -96,8 +96,8 @@ auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -pr
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 auditallow domain_deprecated inotify:dir r_dir_perms;
 auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
@@ -105,8 +105,8 @@ auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vol
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
 allow domain_deprecated selinuxfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
 
 # World readable asec image contents
 allow domain_deprecated asec_public_file:file r_file_perms;

drmserver.te

 # drmserver - DRM service
-type drmserver, domain, domain_deprecated;
+type drmserver, domain;
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
@@ -12,6 +12,8 @@ binder_use(drmserver)
 binder_call(drmserver, system_server)
 binder_call(drmserver, { appdomain autoplay_app })
 binder_service(drmserver)
+# Inherit or receive open files from system_server.
+allow drmserver system_server:fd use;
 
 # Perform Binder IPC to mediaserver
 binder_call(drmserver, mediaserver)

mediaserver.te

 # mediaserver - multimedia daemon
-type mediaserver, domain, domain_deprecated;
+type mediaserver, domain;
 type mediaserver_exec, exec_type, file_type;
 
 typeattribute mediaserver mlstrustedsubject;
@@ -8,7 +8,7 @@ net_domain(mediaserver)
 init_daemon_domain(mediaserver)
 
 r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaserver, cgroup)
 
 # stat /proc/self
 allow mediaserver proc:lnk_file getattr;