From 0fa3ae72be3674645258c01caaf1d0e4dcac08f0 Mon Sep 17 00:00:00 2001
From: Edwin Wong <edwinwong@google.com>
Date: Thu, 22 Feb 2018 17:52:45 -0800
Subject: [PATCH 1/2] Do not install move_widevine_data.sh in new devices.

Merged from http://go/wvgerrit/44312

The move script is only needed for existing devices that
are running Widevine DRM and are upgrading to Pi or later
Android releases. New devices release with Pi and future
Android releases do not need to run this script.

To run this script, vendor must add the dependency to the
corresponding device makefile and build from ANDROID_ROOT.

For example:
  PRODUCT_PACKAGES += \
      android.hardware.drm@1.0-impl \
      android.hardware.drm@1.0-service \
      android.hardware.drm@1.0-service.widevine \
      move_widevine_data.sh

In addition, vendor needs to update device SELinux policy.

Test: Upgrade from O-MR1 to Pi, Netflix & Play Movies
  can play back offline content downloaded in O-MR1

Test: adb shell to verify script is in /system/bin

Test: adb shell to verify widevine data is moved to
/data/vendor/mediadrm

Test: use audit2allow to verify no avc:denied for widevine drm service

bug: 73656300
Change-Id: I7ad0dfcc0e490f4c018b6a17df6313fade89937f
---
 libwvdrmengine/Android.mk | 29 +++++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/libwvdrmengine/Android.mk b/libwvdrmengine/Android.mk
index d88c9c64..2b4bb7a8 100644
--- a/libwvdrmengine/Android.mk
+++ b/libwvdrmengine/Android.mk
@@ -4,11 +4,29 @@
 LOCAL_PATH := $(call my-dir)
 
 # -----------------------------------------------------------------------------
-#  Copies move script to /system/bin.
-#  The mv command preserves SELinux labels(i.e. media_data_file).
-#  We need to run restorecon to put the correct context after the move.
-#  However, restorecon is not implemented for /vendor/bin, so we put
-#  the script in /system/bin.
+# Copies move script to /system/bin.
+#
+# The move script is only needed for existing devices that
+# are running Widevine DRM and are upgrading to Pi or later
+# Android releases. New devices release with Pi and future
+# Android releases do not need to run this script.
+#
+# To run this script, vendor must add the dependency to the
+# corresponding device.mk file and build from ANDROID_ROOT.
+#
+# For example:
+#   PRODUCT_PACKAGES += \
+#       android.hardware.drm@1.0-impl \
+#       android.hardware.drm@1.0-service \
+#       android.hardware.drm@1.0-service.widevine \
+#       move_widevine_data.sh
+#
+# In addition, vendor needs to update device SELinux policy.
+#
+# The mv command preserves SELinux labels(i.e. media_data_file).
+# We need to run restorecon to put the correct context after the move.
+# However, restorecon is not implemented for /vendor/bin, so we put
+# the script in /system/bin.
 #
 include $(CLEAR_VARS)
 
@@ -48,7 +66,6 @@ LOCAL_HEADER_LIBRARIES := \
 
 LOCAL_MODULE := android.hardware.drm@1.0-service.widevine
 LOCAL_INIT_RC := src_hidl/android.hardware.drm@1.0-service.widevine.rc
-LOCAL_REQUIRED_MODULES := move_widevine_data.sh
 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/bin/hw
 LOCAL_PROPRIETARY_MODULE := true
 LOCAL_MODULE_OWNER := widevine

From fe7ca1ad8710909eb369037096acd30b0f481b5e Mon Sep 17 00:00:00 2001
From: Anton Hansson <hansson@google.com>
Date: Tue, 27 Feb 2018 18:58:17 +0000
Subject: [PATCH 2/2] vendor/widevine: Set LOCAL_SDK_VERSION where possible.

This change sets LOCAL_SDK_VERSION for all packages where
this is possible without breaking the build, and
LOCAL_PRIVATE_PLATFORM_APIS := true otherwise.

Setting one of these two will be made required soon, and this
is a change in preparation for that. Not setting LOCAL_SDK_VERSION
makes the app implicitly depend on the bootclasspath, which is
often not required. This change effectively makes depending on
private apis opt-in rather than opt-out.

Test: make relevant packages
Bug: 73535841
Change-Id: I1c0366e78fb44f06bc07329866440097275f5b51
---
 libwvdrmengine/test/castv2/Android.mk | 1 +
 libwvdrmengine/test/java/Android.mk   | 3 +--
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libwvdrmengine/test/castv2/Android.mk b/libwvdrmengine/test/castv2/Android.mk
index 1b2b54b3..5c1a4e28 100644
--- a/libwvdrmengine/test/castv2/Android.mk
+++ b/libwvdrmengine/test/castv2/Android.mk
@@ -13,6 +13,7 @@ LOCAL_SRC_FILES := $(call all-java-files-under, src)
 LOCAL_JAVA_LIBRARIES := com.android.mediadrm.signer org.apache.http.legacy
 
 LOCAL_PACKAGE_NAME := CastSignAPITest
+LOCAL_PRIVATE_PLATFORM_APIS := true
 
 include $(BUILD_PACKAGE)
 
diff --git a/libwvdrmengine/test/java/Android.mk b/libwvdrmengine/test/java/Android.mk
index 93bdadcd..9a1ebaa0 100644
--- a/libwvdrmengine/test/java/Android.mk
+++ b/libwvdrmengine/test/java/Android.mk
@@ -14,8 +14,7 @@ LOCAL_DEX_PREOPT := false
 # When built, explicitly put it in the data/app partition.
 LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
 
-# TODO: This test app depends on framework implementation details.
-# LOCAL_SDK_VERSION := current
+LOCAL_SDK_VERSION := current
 
 include $(BUILD_PACKAGE)