From b1bf83fd794c5863289edf459c8c05a906dac9f7 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Thu, 28 Jan 2016 13:51:28 -0800
Subject: [PATCH] Revert "selinux rules for codec process"

This reverts commit 2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed
---
 dumpstate.te     |  4 ++--
 file_contexts    |  1 -
 mediacodec.te    | 46 ----------------------------------------------
 mediaserver.te   |  1 -
 nfc.te           |  1 -
 platform_app.te  |  1 -
 priv_app.te      |  1 -
 service.te       |  1 -
 service_contexts |  1 -
 system_server.te |  4 +---
 untrusted_app.te |  1 -
 11 files changed, 3 insertions(+), 59 deletions(-)
 delete mode 100644 mediacodec.te

diff --git a/dumpstate.te b/dumpstate.te
index f7a84f6bc..16be441cf 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,9 +48,9 @@ allow dumpstate { appdomain autoplay_app system_server }:process signal;
 
 # Signal native processes to dump their stack.
 # This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:process signal;
+allow dumpstate { audioserver cameraserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
 # Ask debuggerd for the backtraces of these processes.
-allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { audioserver cameraserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
 
 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file_contexts b/file_contexts
index 17979dc34..bdee0c555 100644
--- a/file_contexts
+++ b/file_contexts
@@ -168,7 +168,6 @@
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
-/system/bin/mediacodec	u:object_r:mediacodec_exec:s0
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
diff --git a/mediacodec.te b/mediacodec.te
deleted file mode 100644
index 7cc7765fb..000000000
--- a/mediacodec.te
+++ /dev/null
@@ -1,46 +0,0 @@
-# mediacodec - multimedia daemon
-type mediacodec, domain, domain_deprecated;
-type mediacodec_exec, exec_type, file_type;
-
-typeattribute mediacodec mlstrustedsubject;
-
-init_daemon_domain(mediacodec)
-
-binder_use(mediacodec)
-binder_call(mediacodec, binderservicedomain)
-binder_call(mediacodec, appdomain)
-binder_service(mediacodec)
-
-allow mediacodec kernel:system module_request;
-allow mediacodec gpu_device:chr_file rw_file_perms;
-allow mediacodec video_device:dir r_dir_perms;
-allow mediacodec video_device:chr_file rw_file_perms;
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(mediacodec, drmserver, drmserver)
-
-allow mediacodec drmserver_service:service_manager find;
-allow mediacodec mediacodec_service:service_manager { add find };
-allow mediacodec processinfo_service:service_manager find;
-allow mediacodec surfaceflinger_service:service_manager find;
-
-use_drmservice(mediacodec)
-allow mediacodec drmserver:drmservice {
-    consumeRights
-    setPlaybackStatus
-    openDecryptSession
-    closeDecryptSession
-    initializeDecryptUnit
-    decrypt
-    finalizeDecryptUnit
-    pread
-};
-
-###
-### neverallow rules
-###
-
-# mediacodec should never execute any executable without a
-# domain transition
-neverallow mediacodec { file_type fs_type }:file execute_no_trans;
diff --git a/mediaserver.te b/mediaserver.te
index 33fd26737..a54e198f4 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -92,7 +92,6 @@ allow mediaserver cameraproxy_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaextractor_service:service_manager find;
-allow mediaserver mediacodec_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
 allow mediaserver media_session_service:service_manager find;
 allow mediaserver permission_service:service_manager find;
diff --git a/nfc.te b/nfc.te
index 87c68a784..6333e596b 100644
--- a/nfc.te
+++ b/nfc.te
@@ -22,7 +22,6 @@ allow nfc cameraserver_service:service_manager find;
 allow nfc drmserver_service:service_manager find;
 allow nfc mediaserver_service:service_manager find;
 allow nfc mediaextractor_service:service_manager find;
-allow nfc mediacodec_service:service_manager find;
 allow nfc nfc_service:service_manager { add find };
 allow nfc radio_service:service_manager find;
 allow nfc surfaceflinger_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 3d46f7f87..08a312a39 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -43,7 +43,6 @@ allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;
 allow platform_app mediaserver_service:service_manager find;
 allow platform_app mediaextractor_service:service_manager find;
-allow platform_app mediacodec_service:service_manager find;
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
diff --git a/priv_app.te b/priv_app.te
index 9a3d0ac52..9c43ec21f 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -24,7 +24,6 @@ allow priv_app cameraserver_service:service_manager find;
 allow priv_app drmserver_service:service_manager find;
 allow priv_app mediaserver_service:service_manager find;
 allow priv_app mediaextractor_service:service_manager find;
-allow priv_app mediacodec_service:service_manager find;
 allow priv_app nfc_service:service_manager find;
 allow priv_app radio_service:service_manager find;
 allow priv_app surfaceflinger_service:service_manager find;
diff --git a/service.te b/service.te
index 7c771d2fc..7e004b420 100644
--- a/service.te
+++ b/service.te
@@ -10,7 +10,6 @@ type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediaextractor_service,    service_manager_type;
-type mediacodec_service,        service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
diff --git a/service_contexts b/service_contexts
index 972718a62..1f3e572ec 100644
--- a/service_contexts
+++ b/service_contexts
@@ -68,7 +68,6 @@ media.camera.proxy                        u:object_r:cameraproxy_service:s0
 media.log                                 u:object_r:audioserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
 media.extractor                           u:object_r:mediaextractor_service:s0
-media.codec                               u:object_r:mediacodec_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
 media.radio                               u:object_r:audioserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
diff --git a/system_server.te b/system_server.te
index 65be90165..979dd0caf 100644
--- a/system_server.te
+++ b/system_server.te
@@ -139,14 +139,13 @@ binder_call(system_server, dumpstate)
 binder_service(system_server)
 
 # Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { audioserver cameraserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { audioserver cameraserver mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
 
 # Read /proc/pid files for dumping stack traces of native processes.
 r_dir_file(system_server, audioserver)
 r_dir_file(system_server, cameraserver)
 r_dir_file(system_server, mediaserver)
 r_dir_file(system_server, mediaextractor)
-r_dir_file(system_server, mediacodec)
 r_dir_file(system_server, sdcardd)
 r_dir_file(system_server, surfaceflinger)
 r_dir_file(system_server, inputflinger)
@@ -393,7 +392,6 @@ allow system_server gatekeeper_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
-allow system_server mediacodec_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };
diff --git a/untrusted_app.te b/untrusted_app.te
index 33a61711f..d864424b9 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,7 +72,6 @@ allow untrusted_app drmserver_service:service_manager find;
 allow untrusted_app healthd_service:service_manager find;
 allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app mediaextractor_service:service_manager find;
-allow untrusted_app mediacodec_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
-- 
GitLab