From 52fb3edbb6714a3a347c50c6e9dc430de0260f98 Mon Sep 17 00:00:00 2001
From: Chong Zhang <chz@google.com>
Date: Fri, 31 Aug 2018 14:42:11 -0700
Subject: [PATCH] add media.codec.update service

Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.

Bug: 111407413
Bug: 117290290

Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4
---
 private/service_contexts | 1 +
 public/domain.te         | 7 +++++++
 public/mediaextractor.te | 2 +-
 public/mediaswcodec.te   | 9 +++++++++
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/private/service_contexts b/private/service_contexts
index 064577952..c2a4ca1db 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -98,6 +98,7 @@ media.metrics                             u:object_r:mediametrics_service:s0
 media.extractor                           u:object_r:mediaextractor_service:s0
 media.extractor.update                    u:object_r:mediaextractor_update_service:s0
 media.codec                               u:object_r:mediacodec_service:s0
+media.codec.update                        u:object_r:mediaextractor_update_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
 media.drm                                 u:object_r:mediadrmserver_service:s0
diff --git a/public/domain.te b/public/domain.te
index fa476ddb4..42058f470 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -494,6 +494,7 @@ neverallow {
     -webview_zygote
     -zygote
     userdebug_or_eng(`-mediaextractor')
+    userdebug_or_eng(`-mediaswcodec')
 } {
     file_type
     -system_file_type
@@ -1557,3 +1558,9 @@ neverallow {
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
 
+neverallow {
+  domain
+  userdebug_or_eng(`-mediaextractor')
+  userdebug_or_eng(`-mediaswcodec')
+} mediaextractor_update_service:service_manager add;
+
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 9e07efd39..8f588689f 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -37,7 +37,7 @@ allow mediaextractor system_file:dir { read open };
 
 userdebug_or_eng(`
   # Allow extractor to add update service.
-  add_service(mediaextractor, mediaextractor_update_service)
+  allow mediaextractor mediaextractor_update_service:service_manager { find add };
 
   # Allow extractor to load media extractor plugins from update apk.
   allow mediaextractor apk_data_file:dir search;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 1b1097be9..970256232 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -7,3 +7,12 @@ typeattribute mediaswcodec mediaswcodec_server;
 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
+userdebug_or_eng(`
+  binder_use(mediaswcodec)
+  # Add mediaextractor_update_service service
+  allow mediaswcodec mediaextractor_update_service:service_manager { find add };
+
+  # Allow mediaswcodec to load libs from update apk.
+  allow mediaswcodec apk_data_file:file { open read execute getattr map };
+  allow mediaswcodec apk_data_file:dir { search getattr };
+')
-- 
GitLab