Merge "Remove mediacodec from binder violators." into oc-dev

private/app.te

@@ -273,6 +273,9 @@ get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
 # Allow app to access the graphic allocator HAL
 binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
 
+# Allow app access to mediacodec (IOMX HAL)
+binder_call({ appdomain -isolated_app }, mediacodec)
+
 # App can access configstore HAL which is read only
 binder_call({ appdomain -isolated_app }, hal_configstore)
 

private/system_server.te

@@ -199,6 +199,8 @@ hal_client_domain(system_server, hal_wifi)
 
 hal_client_domain(system_server, hal_wifi_supplicant)
 
+binder_call(system_server, mediacodec)
+
 # Talk with graphics composer fences
 allow system_server hal_graphics_composer:fd use;
 

public/mediacodec.te

@@ -15,19 +15,17 @@ full_treble_only(`
 not_full_treble(`
     # on legacy devices, continue to allow /dev/binder traffic
     binder_use(mediacodec)
+    binder_service(mediacodec)
+    add_service(mediacodec, mediacodec_service)
+    allow mediacodec mediametrics_service:service_manager find;
+    allow mediacodec surfaceflinger_service:service_manager find;
 ')
 binder_call(mediacodec, binderservicedomain)
 binder_call(mediacodec, appdomain)
-binder_service(mediacodec)
 
 # Allow mediacodec access to composer sync fences
 allow mediacodec hal_graphics_composer:fd use;
 
-# TODO(b/36604251): Remove this once OMX HAL stops using Binder
-typeattribute mediacodec binder_in_vendor_violators;
-add_service(mediacodec, mediacodec_service)
-allow mediacodec mediametrics_service:service_manager find;
-allow mediacodec surfaceflinger_service:service_manager find;
 allow mediacodec gpu_device:chr_file rw_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;
 allow mediacodec video_device:dir search;

public/mediaserver.te

@@ -132,6 +132,8 @@ allow mediaserver system_server:fd use;
 
 hal_client_domain(mediaserver, hal_allocator)
 
+binder_call(mediaserver, mediacodec)
+
 ###
 ### neverallow rules
 ###