mt8163 · Copilot · Sep 4, 2025 · Sep 4, 2025
diff --git a/configs/props/system.prop b/configs/props/system.prop
@@ -12,6 +12,9 @@ debug.stagefright.omx_default_rank.sw-audio=1
 debug.stagefright.omx_default_rank=0
 debug.stagefright.ccodec=0
 
+# Network Security Configuration
+ro.config.network_security_config=/system/etc/security/network_security_config.xml
+
 # Audio
 ro.config.alarm_vol_steps=25
 ro.config.media_vol_steps=25

diff --git a/configs/props/vendor.prop b/configs/props/vendor.prop
@@ -6,6 +6,17 @@ ro.vendor.mtk_in_house_tee_support=true
 ro.vendor.mtk_sec_video_path_support=1
 vendor.mtk.vdec.waitkeyframeforplay=1
 
+# DRM Network Configuration
+drm.service.enabled=true
+ro.drm.clearkey.uuid=e2719d58-a985-b3c9-781a-b030af78d30e
+ro.drm.widevine.hl_output_level=1
+vendor.mediadrm.policy=000000
+persist.vendor.drm.settings_cache=30
+
+# Amazon DRM Configuration
+persist.vendor.amazon.drm.enabled=1
+ro.amazon.drm.certs.enabled=1
+
 # Display
 ro.vendor.mtk_pq_color_mode=1
 ro.vendor.mtk_pq_support=0

diff --git a/configs/security/network_security_config.xml b/configs/security/network_security_config.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Network Security Configuration for Amazon Karnak Device
+
+  This configuration allows cleartext traffic for Amazon Video DRM API calls
+  to prevent crashes during DRM provisioning and license acquisition.
+-->
+<network-security-config>
+    <domain-config cleartextTrafficPermitted="true">
+        <!-- Amazon Video API endpoints -->
+        <domain includeSubdomains="true">api.amazonvideo.com</domain>
+        <domain includeSubdomains="true">abxc3apcastp.na.api.amazonvideo.com</domain>
+        <domain includeSubdomains="true">device-metrics-us.amazon.com</domain>
+        <domain includeSubdomains="true">s3.amazonaws.com</domain>
+        <!-- Amazon DRM endpoints -->
+        <domain includeSubdomains="true">drm.amazonvideo.com</domain>
+        <domain includeSubdomains="true">drmapi.amazon.com</domain>
+        <!-- General Amazon domains for device services -->
+        <domain includeSubdomains="true">device-messaging-na.amazon.com</domain>
+        <domain includeSubdomains="true">kindle-time.amazon.com</domain>
+    </domain-config>
+    <base-config cleartextTrafficPermitted="false">
+        <trust-anchors>
+            <!-- Trust system certificate authorities -->
+            <certificates src="system"/>
+            <!-- Trust user added certificate authorities -->
+            <certificates src="user"/>
+        </trust-anchors>
+    </base-config>
+</network-security-config>
diff --git a/device.mk b/device.mk
@@ -182,6 +182,10 @@ PRODUCT_COPY_FILES += \
     $(LOCAL_PATH)/configs/seccomp/mediaextractor.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/mediaextractor.policy \
     $(LOCAL_PATH)/configs/seccomp/mediaswcodec.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/mediaswcodec.policy
 
+# Network Security Configuration
+PRODUCT_COPY_FILES += \
+    $(LOCAL_PATH)/configs/security/network_security_config.xml:$(TARGET_COPY_OUT_SYSTEM)/etc/security/network_security_config.xml
+
 # Wifi
 PRODUCT_COPY_FILES += \
     $(LOCAL_PATH)/configs/wifi/wpa_supplicant.conf:$(TARGET_COPY_OUT_VENDOR)/etc/wifi/wpa_supplicant.conf \

diff --git a/sepolicy/public/amzn_drmprov_check.te b/sepolicy/public/amzn_drmprov_check.te
@@ -4,3 +4,9 @@ init_daemon_domain(amzn_drmprov_check)
 allow amzn_drmprov_check trustzone_device:chr_file { read write open ioctl getattr };
 allow amzn_drmprov_check vendor_file:dir { read open ioctl getattr };
 allow amzn_drmprov_check kisd:unix_stream_socket connectto;
+
+# Network permissions for Amazon DRM provisioning
+allow amzn_drmprov_check self:tcp_socket { create connect getattr read write setopt getopt shutdown };
+allow amzn_drmprov_check self:udp_socket { create connect getattr read write setopt getopt };
+allow amzn_drmprov_check node_type:tcp_socket node_bind;
+allow amzn_drmprov_check port_type:tcp_socket name_connect;
diff --git a/sepolicy/public/amzn_drmprov_tool.te b/sepolicy/public/amzn_drmprov_tool.te
@@ -1,3 +1,9 @@
 type amzn_drmprov_tool_exec, exec_type, file_type, vendor_file_type;
 type amzn_drmprov_tool ,domain;
 init_daemon_domain(amzn_drmprov_tool)
+
+# Network permissions for Amazon DRM provisioning
+allow amzn_drmprov_tool self:tcp_socket { create connect getattr read write setopt getopt shutdown };
+allow amzn_drmprov_tool self:udp_socket { create connect getattr read write setopt getopt };
+allow amzn_drmprov_tool node_type:tcp_socket node_bind;
+allow amzn_drmprov_tool port_type:tcp_socket name_connect;
diff --git a/sepolicy/public/hal_drm_default.te b/sepolicy/public/hal_drm_default.te
@@ -17,3 +17,9 @@ allow hal_drm_default media_data_file:file getattr;
 allow hal_drm_default media_data_file:file read;
 allow hal_drm_default media_data_file:dir create_dir_perms;
 allow hal_drm_default media_data_file:file create_file_perms;
+
+# Network permissions for DRM license acquisition and API communication
+allow hal_drm_default self:tcp_socket { create connect getattr read write setopt getopt shutdown };
+allow hal_drm_default self:udp_socket { create connect getattr read write setopt getopt };
+allow hal_drm_default node_type:tcp_socket node_bind;
+allow hal_drm_default port_type:tcp_socket name_connect;
diff --git a/sepolicy/public/hal_drm_widevine.te b/sepolicy/public/hal_drm_widevine.te
@@ -21,3 +21,9 @@ allow hal_drm_widevine mediadrm_vendor_data_file:dir { add_name create getattr o
 allow hal_drm_widevine mediadrm_vendor_data_file:file {  getattr open read write };
 allow hal_drm_widevine trustzone_device:chr_file { read write open getattr ioctl };
 allow hal_drm_widevine kisd:unix_stream_socket connectto;
+
+# Network permissions for DRM license acquisition and API communication
+allow hal_drm_widevine self:tcp_socket { create connect getattr read write setopt getopt shutdown };
+allow hal_drm_widevine self:udp_socket { create connect getattr read write setopt getopt };
+allow hal_drm_widevine node_type:tcp_socket node_bind;
+allow hal_drm_widevine port_type:tcp_socket name_connect;
diff --git a/sepolicy/public/mediadrmserver.te b/sepolicy/public/mediadrmserver.te
@@ -15,4 +15,8 @@ allow mediadrmserver property_socket:sock_file write;
 allow mediadrmserver persist_data_file:file { read getattr open };
 allow mediadrmserver persist_data_file:dir search;
 
-
+# Network permissions for DRM license acquisition and API communication
+allow mediadrmserver self:tcp_socket { create connect getattr read write setopt getopt shutdown };
+allow mediadrmserver self:udp_socket { create connect getattr read write setopt getopt };
+allow mediadrmserver node_type:tcp_socket node_bind;
+allow mediadrmserver port_type:tcp_socket name_connect;