Merge "add mediaswcodec service"

private/compat/26.0/26.0.ignore.cil

@@ -104,6 +104,9 @@
     lowpan_device
     lowpan_prop
     lowpan_service
+    mediaswcodec
+    mediaswcodec_exec
+    mediaswcodec_tmpfs
     mediaextractor_update_service
     mediaprovider_tmpfs
     metadata_file

private/compat/27.0/27.0.ignore.cil

@@ -95,6 +95,9 @@
     lowpan_prop
     lowpan_service
     mediaextractor_update_service
+    mediaswcodec
+    mediaswcodec_exec
+    mediaswcodec_tmpfs
     metadata_file
     mnt_product_file
     mnt_vendor_file

private/compat/28.0/28.0.ignore.cil

@@ -36,6 +36,9 @@
     iorapd_data_file
     iorapd_service
     iorapd_tmpfs
+    mediaswcodec
+    mediaswcodec_exec
+    mediaswcodec_tmpfs
     mnt_product_file
     overlayfs_file
     recovery_socket

private/file_contexts

@@ -229,6 +229,7 @@
 /system/bin/mediametrics	u:object_r:mediametrics_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
+/system/bin/mediaswcodec	u:object_r:mediaswcodec_exec:s0
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/otapreopt_chroot   u:object_r:otapreopt_chroot_exec:s0

private/mediaswcodec.te

+typeattribute mediaswcodec coredomain;
+
+init_daemon_domain(mediaswcodec)
+

public/attributes

@@ -302,3 +302,4 @@ hal_attribute(wifi_supplicant);
 
 attribute display_service_server;
 attribute wifi_keystore_service_server;
+attribute mediaswcodec_server;

public/domain.te

@@ -1197,6 +1197,7 @@ neverallow {
 
   # Processes that can't exec crash_dump
   -hal_omx_server
+  -mediaswcodec_server
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
@@ -1551,3 +1552,10 @@ full_treble_only(`
     -incidentd
   } sysfs_batteryinfo:file { open read };
 ')
+
+neverallow {
+  domain
+  -mediaswcodec_server
+  -hal_omx_server
+} hal_codec2_hwservice:hwservice_manager add;
+

public/hal_omx.te

@@ -2,18 +2,12 @@
 # since OMX must always be in its own process.
 
 
-# can route /dev/binder traffic to /dev/vndbinder
-vndbinder_use(hal_omx_server)
-
 binder_call(hal_omx_server, binderservicedomain)
 binder_call(hal_omx_server, { appdomain -isolated_app })
 
 # Allow hal_omx_server access to composer sync fences
 allow hal_omx_server hal_graphics_composer:fd use;
 
-allow hal_omx_server gpu_device:chr_file rw_file_perms;
-allow hal_omx_server video_device:chr_file rw_file_perms;
-allow hal_omx_server video_device:dir search;
 allow hal_omx_server ion_device:chr_file rw_file_perms;
 allow hal_omx_server hal_camera:fd use;
 
@@ -26,7 +20,9 @@ crash_dump_fallback(hal_omx_server)
 allow hal_omx_server bufferhubd:fd use;
 
 hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-hal_attribute_hwservice(hal_omx, hal_codec2_hwservice)
+
+allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
+allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
 
 allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
 

public/mediaswcodec.te

+type mediaswcodec, domain;
+type mediaswcodec_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediaswcodec halserverdomain;
+typeattribute mediaswcodec mediaswcodec_server;
+
+hal_client_domain(mediaswcodec, hal_allocator)
+hal_client_domain(mediaswcodec, hal_graphics_allocator)
+

public/swcodec_service_server.te

+# Add hal_codec2_hwservice to mediaswcodec_server
+allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
+allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
+
+# Allow mediaswcodec_server access to composer sync fences
+allow mediaswcodec_server hal_graphics_composer:fd use;
+
+allow mediaswcodec_server ion_device:chr_file r_file_perms;
+allow mediaswcodec_server hal_camera:fd use;
+
+crash_dump_fallback(mediaswcodec_server)
+
+# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
+# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
+# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
+# via PDX. Thus, there is no need to use pdx_client macro.
+allow mediaswcodec_server bufferhubd:fd use;
+
+binder_call(mediaswcodec_server, hal_omx_client)
+binder_call(hal_omx_client, mediaswcodec_server)
+
+###
+### neverallow rules
+###
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver/codec split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;

vendor/mediacodec.te

@@ -12,8 +12,15 @@ not_full_treble(`
     allow mediacodec surfaceflinger_service:service_manager find;
 ')
 
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec)
+
 hal_server_domain(mediacodec, hal_omx)
 
 hal_client_domain(mediacodec, hal_allocator)
-hal_client_domain(mediacodec, hal_cas)
 hal_client_domain(mediacodec, hal_graphics_allocator)
+
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+allow mediacodec video_device:dir search;
+