platform_system_sepolicy/public/mediaswcodec.te

30 lines
1.2 KiB
Text
Raw Normal View History

type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
hal_server_domain(mediaswcodec, hal_codec2)
# mediaswcodec may use an input surface from a different Codec2 service or an
# OMX service
hal_client_domain(mediaswcodec, hal_codec2)
hal_client_domain(mediaswcodec, hal_omx)
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
crash_dump_fallback(mediaswcodec)
# mediaswcodec_server should never execute any executable without a
# domain transition
neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
Add permissions required for new DMA-BUF heap allocator avc: denied { read } for comm=4E444B204D65646961436F6465635F name="system" dev="tmpfs" ino=379 scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system" dev="tmpfs" ino=379 scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read } for comm="HwBinder:413_3" name="system" dev="tmpfs" ino=379 scontext=u:r:mediaswcodec:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0 avc: denied { ioctl } for comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system" dev="tmpfs" ino=379 ioctlcmd=0x4800 scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read } for comm=4E444B204D65646961436F6465635F name="system" dev="tmpfs" ino=379 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0 app=com.android.systemui it(0.0:83): avc: denied { read } for comm=4E444B204D65646961436F6465635F name="system" dev="tmpfs" ino=379 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0 app=com.android.systemui Test: video playback without denials with DMA-BUF heaps enabled Bug: 168333162 Change-Id: If936c5561ebf891e4b687a2c18760d16e0d31275
2020-09-11 23:00:59 +02:00
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
Allow codec2 to allocate from system-secure heap Codec2 clients should have the permission to allocate from the system-secure DMA-BUF heap for secure playback. avc: denied { ioctl } for path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649 ioctlcmd=0x4800 scontext=u:r:mediaswcodec:s0 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read } for comm=4E444B204D65646961436F6465635F name="system-secure" dev="tmpfs" ino=649 scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649 scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649 ioctlcmd=0x4800 scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read } for name="system-secure" dev="tmpfs" ino=649 scontext=u:r:mediaswcodec:s0 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649 scontext=u:r:mediaswcodec:s0 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read } for comm=4E444B204D65646961436F6465635F name="system-secure" dev="tmpfs" ino=649 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=1 app=com.android.systemui 0:145): avc: denied { open } for comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649 ioctlcmd=0x4800 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=1 Bug: 172527615 Test: manual Change-Id: I465e5fcd660bb548e93d683e9d20cace7421ed2d
2021-01-12 21:05:20 +01:00
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
allow mediaswcodec gpu_device:chr_file rw_file_perms;
allow mediaswcodec gpu_device:dir r_dir_perms;