Merge "Put in sepolicies for Codec2.0 services" into pi-dev

eaee65f0 · TreeHugger Robot · Android (Google) Code Review · 941cc9c8 · 4be28894 · eaee65f0
Commit eaee65f0 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -175,10 +175,12 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
 #   by surfaceflinger Binder service, which apps are permitted to access
 # - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
 #   Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
 neverallow all_untrusted_apps {
  hwservice_manager_type
  -same_process_hwservice
  -coredomain_hwservice
+  -hal_codec2_hwservice
  -hal_configstore_ISurfaceFlingerConfigs
  -hal_graphics_allocator_hwservice
  -hal_omx_hwservice

--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -43,6 +43,7 @@
    hal_authsecret_hwservice
    hal_broadcastradio_hwservice
    hal_cas_hwservice
+    hal_codec2_hwservice
    hal_confirmationui_hwservice
    hal_lowpan_hwservice
    hal_neuralnetworks_hwservice

--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -37,6 +37,7 @@
    fingerprint_vendor_data_file
    fs_bpf
    hal_authsecret_hwservice
+    hal_codec2_hwservice
    hal_confirmationui_hwservice
    hal_lowpan_hwservice
    hal_secure_element_hwservice

--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -7,4 +7,5 @@ hal_client_domain(mediaserver, hal_graphics_allocator)

 # TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
 # of OMX HAL.
+allow mediaserver hal_codec2_hwservice:hwservice_manager find;
 allow mediaserver hal_omx_hwservice:hwservice_manager find;
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -195,6 +195,7 @@ hal_client_domain(system_server, hal_light)
 hal_client_domain(system_server, hal_memtrack)
 hal_client_domain(system_server, hal_neuralnetworks)
 hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_codec2_hwservice:hwservice_manager find;
 allow system_server hal_omx_hwservice:hwservice_manager find;
 allow system_server hidl_token_hwservice:hwservice_manager find;
 hal_client_domain(system_server, hal_power)

--- a/public/app.te
+++ b/public/app.te
@@ -219,6 +219,7 @@ binder_call(appdomain, ephemeral_app)
 # TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
 # as OMX HAL
 hwbinder_use({ appdomain  -isolated_app })
+allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
 allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
 allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;


--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -8,6 +8,7 @@ type hal_bluetooth_hwservice, hwservice_manager_type;
 type hal_bootctl_hwservice, hwservice_manager_type;
 type hal_broadcastradio_hwservice, hwservice_manager_type;
 type hal_camera_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
 type hal_confirmationui_hwservice, hwservice_manager_type;
 type hal_contexthub_hwservice, hwservice_manager_type;

--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -33,6 +33,7 @@ allow mediacodec hal_camera:fd use;

 crash_dump_fallback(mediacodec)

+add_hwservice(mediacodec, hal_codec2_hwservice)
 add_hwservice(mediacodec, hal_omx_hwservice)

 hal_client_domain(mediacodec, hal_allocator)