From 56cdcd48d583b4cef4f63c3f7a1088dbd01cc932 Mon Sep 17 00:00:00 2001
From: Iliyan Malchev <malchev@google.com>
Date: Tue, 11 Apr 2017 20:01:51 -0700
Subject: [PATCH] Transition mediacodec to /dev/hwbinder and /dev/vndbinder

This change disables /dev/binder access to and by mediacodec on
full-Treble devices.

b/36604251 OMX HAL (aka mediacodec) uses Binder and even exposes a
	   Binder service

Test: marlin
Change-Id: I1e30a6c56950728f36351c41b2859221753fd91a
Signed-off-by: Iliyan Malchev <malchev@google.com>
---
 public/mediacodec.te | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/public/mediacodec.te b/public/mediacodec.te
index b8cde809e..c67078bf7 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -8,7 +8,14 @@ typeattribute mediacodec mlstrustedsubject;
 # and use macro hal_server_domain
 get_prop(mediacodec, hwservicemanager_prop)
 
-binder_use(mediacodec)
+full_treble_only(`
+    # on full-Treble devices, route all /dev/binder traffic to /dev/vndbinder
+    vndbinder_use(mediacodec)
+')
+not_full_treble(`
+    # on legacy devices, continue to allow /dev/binder traffic
+    binder_use(mediacodec)
+')
 binder_call(mediacodec, binderservicedomain)
 binder_call(mediacodec, appdomain)
 binder_service(mediacodec)
-- 
GitLab