From bdbfff1b00e543913a72c1fe4e8b10176234af50 Mon Sep 17 00:00:00 2001
From: Chong Zhang <chz@google.com>
Date: Thu, 20 Sep 2018 12:07:44 -0700
Subject: [PATCH] add mediaswcodec service
Set up a new service for sw media codec services.
Bug: 111407413
Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e
---
private/compat/26.0/26.0.ignore.cil | 3 +++
private/compat/27.0/27.0.ignore.cil | 3 +++
private/compat/28.0/28.0.ignore.cil | 3 +++
private/file_contexts | 1 +
private/mediaswcodec.te | 4 +++
public/attributes | 1 +
public/domain.te | 8 ++++++
public/hal_omx.te | 10 +++-----
public/mediaswcodec.te | 9 +++++++
public/swcodec_service_server.te | 40 +++++++++++++++++++++++++++++
vendor/mediacodec.te | 9 ++++++-
11 files changed, 83 insertions(+), 8 deletions(-)
create mode 100644 private/mediaswcodec.te
create mode 100644 public/mediaswcodec.te
create mode 100644 public/swcodec_service_server.te
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 54edb40b8..3cf086b05 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -104,6 +104,9 @@
lowpan_device
lowpan_prop
lowpan_service
+ mediaswcodec
+ mediaswcodec_exec
+ mediaswcodec_tmpfs
mediaextractor_update_service
mediaprovider_tmpfs
metadata_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 1df6a0e52..3fccdf32f 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -95,6 +95,9 @@
lowpan_prop
lowpan_service
mediaextractor_update_service
+ mediaswcodec
+ mediaswcodec_exec
+ mediaswcodec_tmpfs
metadata_file
mnt_product_file
mnt_vendor_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index e02421d90..3404dd5e6 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -36,6 +36,9 @@
iorapd_data_file
iorapd_service
iorapd_tmpfs
+ mediaswcodec
+ mediaswcodec_exec
+ mediaswcodec_tmpfs
mnt_product_file
overlayfs_file
recovery_socket
diff --git a/private/file_contexts b/private/file_contexts
index 3b852136f..a70f61bcb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -229,6 +229,7 @@
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
+/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te
new file mode 100644
index 000000000..50f569875
--- /dev/null
+++ b/private/mediaswcodec.te
@@ -0,0 +1,4 @@
+typeattribute mediaswcodec coredomain;
+
+init_daemon_domain(mediaswcodec)
+
diff --git a/public/attributes b/public/attributes
index 79cc20d09..f56919a8b 100644
--- a/public/attributes
+++ b/public/attributes
@@ -302,3 +302,4 @@ hal_attribute(wifi_supplicant);
attribute display_service_server;
attribute wifi_keystore_service_server;
+attribute mediaswcodec_server;
diff --git a/public/domain.te b/public/domain.te
index 244e08948..0f17fab13 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1197,6 +1197,7 @@ neverallow {
# Processes that can't exec crash_dump
-hal_omx_server
+ -mediaswcodec_server
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
@@ -1551,3 +1552,10 @@ full_treble_only(`
-incidentd
} sysfs_batteryinfo:file { open read };
')
+
+neverallow {
+ domain
+ -mediaswcodec_server
+ -hal_omx_server
+} hal_codec2_hwservice:hwservice_manager add;
+
diff --git a/public/hal_omx.te b/public/hal_omx.te
index a477875b2..656b03ac8 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -2,18 +2,12 @@
# since OMX must always be in its own process.
-# can route /dev/binder traffic to /dev/vndbinder
-vndbinder_use(hal_omx_server)
-
binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })
# Allow hal_omx_server access to composer sync fences
allow hal_omx_server hal_graphics_composer:fd use;
-allow hal_omx_server gpu_device:chr_file rw_file_perms;
-allow hal_omx_server video_device:chr_file rw_file_perms;
-allow hal_omx_server video_device:dir search;
allow hal_omx_server ion_device:chr_file rw_file_perms;
allow hal_omx_server hal_camera:fd use;
@@ -26,7 +20,9 @@ crash_dump_fallback(hal_omx_server)
allow hal_omx_server bufferhubd:fd use;
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-hal_attribute_hwservice(hal_omx, hal_codec2_hwservice)
+
+allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
+allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
new file mode 100644
index 000000000..1b1097be9
--- /dev/null
+++ b/public/mediaswcodec.te
@@ -0,0 +1,9 @@
+type mediaswcodec, domain;
+type mediaswcodec_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediaswcodec halserverdomain;
+typeattribute mediaswcodec mediaswcodec_server;
+
+hal_client_domain(mediaswcodec, hal_allocator)
+hal_client_domain(mediaswcodec, hal_graphics_allocator)
+
diff --git a/public/swcodec_service_server.te b/public/swcodec_service_server.te
new file mode 100644
index 000000000..f20d9904c
--- /dev/null
+++ b/public/swcodec_service_server.te
@@ -0,0 +1,40 @@
+# Add hal_codec2_hwservice to mediaswcodec_server
+allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
+allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
+
+# Allow mediaswcodec_server access to composer sync fences
+allow mediaswcodec_server hal_graphics_composer:fd use;
+
+allow mediaswcodec_server ion_device:chr_file r_file_perms;
+allow mediaswcodec_server hal_camera:fd use;
+
+crash_dump_fallback(mediaswcodec_server)
+
+# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
+# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
+# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
+# via PDX. Thus, there is no need to use pdx_client macro.
+allow mediaswcodec_server bufferhubd:fd use;
+
+binder_call(mediaswcodec_server, hal_omx_client)
+binder_call(hal_omx_client, mediaswcodec_server)
+
+###
+### neverallow rules
+###
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver/codec split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index a235145cc..29e1a9015 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -12,8 +12,15 @@ not_full_treble(`
allow mediacodec surfaceflinger_service:service_manager find;
')
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec)
+
hal_server_domain(mediacodec, hal_omx)
hal_client_domain(mediacodec, hal_allocator)
-hal_client_domain(mediacodec, hal_cas)
hal_client_domain(mediacodec, hal_graphics_allocator)
+
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+allow mediacodec video_device:dir search;
+
--
GitLab