diff options
| author | Nolen Johnson <johnsonnolen@gmail.com> | 2021-11-04 12:17:26 -0400 |
|---|---|---|
| committer | Nolen Johnson <johnsonnolen@gmail.com> | 2021-11-08 15:11:27 -0500 |
| commit | 6f089c254845094a1fa09a0ba522f38bdfb6d0e5 (patch) | |
| tree | 99ef81935b5b6c3a123644ecc4822ba7f4c921ae | |
| parent | 1f0b09998d3578e2a5c8df4ecb5af340f5937ba6 (diff) | |
atv: Label and allow mediashell_app what it needs
* ATV GMS does this, so we're gonna have to as well.
Change-Id: I0d4fecfad032b0a14a215fa4ddf2e994a9df0c70
| -rw-r--r-- | atv/private/certs/mediashell/mediashell-release.x509.pem | 23 | ||||
| -rw-r--r-- | atv/private/keys.conf | 2 | ||||
| -rw-r--r-- | atv/private/mac_permissions.xml | 7 | ||||
| -rw-r--r-- | atv/private/mediashell_app.te | 28 | ||||
| -rw-r--r-- | atv/private/seapp_contexts | 1 | ||||
| -rw-r--r-- | atv/sepolicy.mk | 3 |
6 files changed, 64 insertions, 0 deletions
diff --git a/atv/private/certs/mediashell/mediashell-release.x509.pem b/atv/private/certs/mediashell/mediashell-release.x509.pem new file mode 100644 index 0000000..1c4dc5a --- /dev/null +++ b/atv/private/certs/mediashell/mediashell-release.x509.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIJAOkFRFkrhFCCMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW +aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDETMBEG +A1UEAwwKbWVkaWFzaGVsbDAeFw0xNDA1MjcwNDM0MDBaFw00MTEwMTIwNDM0MDBa +MHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1N +b3VudGFpbiBWaWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5k +cm9pZDETMBEGA1UEAwwKbWVkaWFzaGVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBANB1m2sXKkhJKtXukj5yfutgIqzYCLtXDEWXQ9qbQ8Rh5ediHJ0F +Cl3nopi9DwwCYP+Ok+Jygl3YSEiBJBoG7pJmrCv94Z/eDYoJRZ1Xy8cibmWNlL8p +HQ/lLajRUpJnkzfsag4uN/mzztOc09nlsAmqWYjbIVbIyiN1tBxm9jkKLQ4OmEnB +eHQJn8DZJV+YmMvFWRIbhk+V8p6L4i2x4nQaAJjaSVn0YZdurQ4SbZOXwEtl8Jjv +D7xCetSdMs9P7006ZGDKxJX3cljqLei9ikC/B/M/YF19V2a+eiHynkonLKpYpTlc +zf8mfQvU8n5Efy3JvMRKFGRXp4o6Sr0hX3cCAwEAAaNQME4wHQYDVR0OBBYEFLPM +RCrb6DZ48IJbNHE0rGMeYCCTMB8GA1UdIwQYMBaAFLPMRCrb6DZ48IJbNHE0rGMe +YCCTMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJaHK/mYG3Hp6O4C +W1XpPOKoUhcloaoZEELvrTa4KaDJGycf4/tpmUQzE2f6piaBpJLiKB3spd/M3QPG +Qqrxe3Tcfyb8hV5QvU9M4uKLG2v77Osb3ZiYcOX/yFv+f7JBGUQnM/TQ2k1jPF6+ +5YWDCh+GFD9Fo8/OQK7QYX/VKwe5Yrxm0ZhfPtT51sZIshE4yp6B+pn+kXb03Lvl +IqJsLtUIprcJ4Vd/KlCvU9EGgToXMb0XhoZpW0fZh6E0IWeBLgxwHMrOthZnNS5J +YcEM10pENnkrkjZONbMQoF8rFLJoc2JLN+hpOhy07TNvVuHYIHrpArM+OQ5RspfK +NEAinIU= +-----END CERTIFICATE----- diff --git a/atv/private/keys.conf b/atv/private/keys.conf new file mode 100644 index 0000000..1fa8af5 --- /dev/null +++ b/atv/private/keys.conf @@ -0,0 +1,2 @@ +[@MEDIASHELL] +ALL : device/lineage/sepolicy/atv/private/certs/mediashell/mediashell-release.x509.pem diff --git a/atv/private/mac_permissions.xml b/atv/private/mac_permissions.xml new file mode 100644 index 0000000..68e39ed --- /dev/null +++ b/atv/private/mac_permissions.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy> + <signer signature="@MEDIASHELL" > + <seinfo value="mediashell" /> + </signer> +</policy> + diff --git a/atv/private/mediashell_app.te b/atv/private/mediashell_app.te new file mode 100644 index 0000000..72d7063 --- /dev/null +++ b/atv/private/mediashell_app.te @@ -0,0 +1,28 @@ +type mediashell_app, domain, coredomain; + +app_domain(mediashell_app); +bluetooth_domain(mediashell_app); +net_domain(mediashell_app); + +userdebug_or_eng(` + allow mediashell_app shell_data_file:file r_file_perms; + allow mediashell_app shell_data_file:dir r_dir_perms; +') + +allow mediashell_app audioserver:fifo_file { write }; + +allow mediashell_app app_api_service:service_manager find; +allow mediashell_app audioserver_service:service_manager find; +allow mediashell_app cameraserver_service:service_manager find; +allow mediashell_app drmserver_service:service_manager find; +allow mediashell_app mediadrmserver_service:service_manager find; +allow mediashell_app mediaextractor_service:service_manager find; +allow mediashell_app mediametrics_service:service_manager find; +allow mediashell_app mediaserver_service:service_manager find; +allow mediashell_app network_watchlist_service:service_manager find; +allow mediashell_app nfc_service:service_manager find; +allow mediashell_app radio_service:service_manager find; +allow mediashell_app system_api_service:service_manager find; + +allow mediashell_app self:process ptrace; +allow mediashell_app self:process ptrace; diff --git a/atv/private/seapp_contexts b/atv/private/seapp_contexts new file mode 100644 index 0000000..b32c255 --- /dev/null +++ b/atv/private/seapp_contexts @@ -0,0 +1 @@ +user=_app isPrivApp=true seinfo=mediashell domain=mediashell_app name=com.google.android.apps.mediashell type=app_data_file levelFrom=all diff --git a/atv/sepolicy.mk b/atv/sepolicy.mk index 43af961..b0df2cb 100644 --- a/atv/sepolicy.mk +++ b/atv/sepolicy.mk @@ -7,3 +7,6 @@ ifneq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true) BOARD_SEPOLICY_DIRS += \ device/lineage/sepolicy/atv/vendor endif + +PRODUCT_PRIVATE_SEPOLICY_DIRS += \ + device/lineage/sepolicy/atv/private |