Skip to content
Snippets Groups Projects
Commit e45603d3 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

address denials when playing protected content.

When playing protected content on manta, surfaceflinger would crash.

  STEPS TO REPRODUCE:
  1. Launch Play Movies & TV
  2. Play any movie and observe

  OBSERVED RESULTS:
  Device reboot while playing movies

  EXPECTED RESULTS:
  No device reboot

Even though this only reproduces on manta, this seems appropriate
for a general policy.

Addresses the following denials:

<5>[   36.066819] type=1400 audit(1389141624.471:9): avc:  denied  { write } for  pid=1855 comm="TimedEventQueue" name="tlcd_sock" dev="mmcblk0p9" ino=627097 scontext=u:r:mediaserver:s0 tcontext=u:object_r:drmserver_socket:s0 tclass=sock_file
<5>[   36.066985] type=1400 audit(1389141624.471:10): avc:  denied  { connectto } for  pid=1855 comm="TimedEventQueue" path="/data/app/tlcd_sock" scontext=u:r:mediaserver:s0 tcontext=u:r:drmserver:s0 tclass=unix_stream_socket
<5>[   41.379708] type=1400 audit(1389141629.786:15): avc:  denied  { connectto } for  pid=120 comm="surfaceflinger" path=006D636461656D6F6E scontext=u:r:surfaceflinger:s0 tcontext=u:r:tee:s0 tclass=unix_stream_socket
<5>[   41.380051] type=1400 audit(1389141629.786:16): avc:  denied  { read write } for  pid=120 comm="surfaceflinger" name="mobicore-user" dev="tmpfs" ino=4117 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file
<5>[   41.380209] type=1400 audit(1389141629.786:17): avc:  denied  { open } for  pid=120 comm="surfaceflinger" name="mobicore-user" dev="tmpfs" ino=4117 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file
<5>[   41.380779] type=1400 audit(1389141629.786:18): avc:  denied  { ioctl } for  pid=120 comm="surfaceflinger" path="/dev/mobicore-user" dev="tmpfs" ino=4117 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file

Change-Id: I20286ec2a6cf0d190a84ad74e88e94468bab9fdb
Bug: 12434847
parent d362cdf8
No related branches found
No related tags found
No related merge requests found
...@@ -62,3 +62,7 @@ allow mediaserver qtaguid_device:chr_file r_file_perms; ...@@ -62,3 +62,7 @@ allow mediaserver qtaguid_device:chr_file r_file_perms;
# Allow abstract socket connection # Allow abstract socket connection
allow mediaserver rild:unix_stream_socket { connectto read write setopt }; allow mediaserver rild:unix_stream_socket { connectto read write setopt };
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(mediaserver, drmserver, drmserver)
...@@ -44,3 +44,8 @@ allow surfaceflinger bootanim:fd use; ...@@ -44,3 +44,8 @@ allow surfaceflinger bootanim:fd use;
binder_call(surfaceflinger, dumpstate) binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell) binder_call(surfaceflinger, shell)
allow surfaceflinger shell_data_file:file write; allow surfaceflinger shell_data_file:file write;
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment