platform_system_sepolicy/vendor/mediacodec.te

type mediacodec, domain, mlstrustedsubject;
type mediacodec_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(mediacodec)

# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(mediacodec)

hal_server_domain(mediacodec, hal_codec2)
hal_server_domain(mediacodec, hal_omx)

# mediacodec may use an input surface from a different Codec2 or OMX service
hal_client_domain(mediacodec, hal_codec2)
hal_client_domain(mediacodec, hal_omx)

hal_client_domain(mediacodec, hal_allocator)
hal_client_domain(mediacodec, hal_graphics_allocator)

allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec gpu_device:dir r_dir_perms;
allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;

crash_dump_fallback(mediacodec)

# get aac_drc_* properties
get_prop(mediacodec, aac_drc_prop)

# mediacodec should never execute any executable without a domain transition
neverallow mediacodec { file_type fs_type }:file execute_no_trans;

# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediacodec domain:{ udp_socket rawip_socket } *;
neverallow mediacodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
mediacodec->mediacodec+hal_omx{,_server,_client} (breaks vendor blobs, will have to be regenerated after this CL) This moves mediacodec to vendor so it is replaced with hal_omx_server. The main benefit of this is that someone can create their own implementation of mediacodec without having to alter the one in the tree. mediacodec is still seccomp enforced by CTS tests. Fixes: 36375899 Test: (sanity) YouTube Test: (sanity) camera pics + video Test: check for denials Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e 2018-05-26 01:23:37 +02:00			`type mediacodec, domain, mlstrustedsubject;`
			`type mediacodec_exec, exec_type, vendor_file_type, file_type;`

			`init_daemon_domain(mediacodec)`

add mediaswcodec service Set up a new service for sw media codec services. Bug: 111407413 Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e 2018-09-20 21:07:44 +02:00			`# can route /dev/binder traffic to /dev/vndbinder`
			`vndbinder_use(mediacodec)`

Properly define hal_codec2 and related policies Test: make cts -j123 && cts-tradefed run cts-dev -m \ CtsMediaTestCases --compatibility:module-arg \ CtsMediaTestCases:include-annotation:\ android.platform.test.annotations.RequiresDevice Bug: 131677974 Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b 2019-04-30 14:09:28 +02:00			`hal_server_domain(mediacodec, hal_codec2)`
mediacodec->mediacodec+hal_omx{,_server,_client} (breaks vendor blobs, will have to be regenerated after this CL) This moves mediacodec to vendor so it is replaced with hal_omx_server. The main benefit of this is that someone can create their own implementation of mediacodec without having to alter the one in the tree. mediacodec is still seccomp enforced by CTS tests. Fixes: 36375899 Test: (sanity) YouTube Test: (sanity) camera pics + video Test: check for denials Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e 2018-05-26 01:23:37 +02:00			`hal_server_domain(mediacodec, hal_omx)`

Properly define hal_codec2 and related policies Test: make cts -j123 && cts-tradefed run cts-dev -m \ CtsMediaTestCases --compatibility:module-arg \ CtsMediaTestCases:include-annotation:\ android.platform.test.annotations.RequiresDevice Bug: 131677974 Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b 2019-04-30 14:09:28 +02:00			`# mediacodec may use an input surface from a different Codec2 or OMX service`
			`hal_client_domain(mediacodec, hal_codec2)`
			`hal_client_domain(mediacodec, hal_omx)`

mediacodec->mediacodec+hal_omx{,_server,_client} (breaks vendor blobs, will have to be regenerated after this CL) This moves mediacodec to vendor so it is replaced with hal_omx_server. The main benefit of this is that someone can create their own implementation of mediacodec without having to alter the one in the tree. mediacodec is still seccomp enforced by CTS tests. Fixes: 36375899 Test: (sanity) YouTube Test: (sanity) camera pics + video Test: check for denials Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e 2018-05-26 01:23:37 +02:00			`hal_client_domain(mediacodec, hal_allocator)`
			`hal_client_domain(mediacodec, hal_graphics_allocator)`
add mediaswcodec service Set up a new service for sw media codec services. Bug: 111407413 Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e 2018-09-20 21:07:44 +02:00
			`allow mediacodec gpu_device:chr_file rw_file_perms;`
Adds GPU sepolicy to support devices with DRM gralloc/rendering ... such as Cuttlefish (Cloud Android virtual device) which has a DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based rendering (when forwarding rendering commands to the host machine with Mesa3D in the guest and virglrenderer on the host). After this change is submitted, changes such as aosp/1997572 can be submitted to removed sepolicy that is currently duplicated across device/google/cuttlefish and device/linaro/dragonboard as well. Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions across several devices are removed in the attached topic). The uses of `sysfs_gpu:file` comes from Mesa using libdrm's `drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to get vendor id, device id, version etc. Ignore-AOSP-First: must be submitted in internal as a topic first to avoid having duplicate definitions of sysfs_gpu in projects that are only available in internal Bug: b/161819018 Test: launch_cvd Test: launch_cvd --gpu_mode=gfxstream Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c 2022-02-24 19:32:16 +01:00			`allow mediacodec gpu_device:dir r_dir_perms;`
Properly define hal_codec2 and related policies Test: make cts -j123 && cts-tradefed run cts-dev -m \ CtsMediaTestCases --compatibility:module-arg \ CtsMediaTestCases:include-annotation:\ android.platform.test.annotations.RequiresDevice Bug: 131677974 Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b 2019-04-30 14:09:28 +02:00			`allow mediacodec ion_device:chr_file rw_file_perms;`
Allow mediacodec to allocate from the DMA-BUF system heap mediacodec currently only has permissions to allocate from ION heaps. The following permission is required for it to allocate from the DMA-BUF system heap via the the codec2 allocator. It resolves the following denial in the sdk_gphone_x86_64-userdebug target: 01-08 22:43:48.712 337 337 I auditd : type=1400 audit(0.0:6): avc: denied { getattr } for comm="android.hardwar" path="/dev/dma_heap/system-uncached" dev="tmpfs" ino=311 scontext=u:r:mediacodec:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0 Bug: 170887642 Test: make and boot Change-Id: I5503ed6ffa47a84f614792de866ddafbec0cdcda 2021-01-14 06:05:07 +01:00			`allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;`
add mediaswcodec service Set up a new service for sw media codec services. Bug: 111407413 Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e 2018-09-20 21:07:44 +02:00			`allow mediacodec video_device:chr_file rw_file_perms;`
			`allow mediacodec video_device:dir search;`

Properly define hal_codec2 and related policies Test: make cts -j123 && cts-tradefed run cts-dev -m \ CtsMediaTestCases --compatibility:module-arg \ CtsMediaTestCases:include-annotation:\ android.platform.test.annotations.RequiresDevice Bug: 131677974 Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b 2019-04-30 14:09:28 +02:00			`crash_dump_fallback(mediacodec)`

Move aac_drc props to aac_drc_prop Bug: 155844385 Test: sepolicy_tests Change-Id: I1755672b5cef876955f93020c519aaaabf814bbf 2020-05-06 11:30:20 +02:00			`# get aac_drc_* properties`
			`get_prop(mediacodec, aac_drc_prop)`

Properly define hal_codec2 and related policies Test: make cts -j123 && cts-tradefed run cts-dev -m \ CtsMediaTestCases --compatibility:module-arg \ CtsMediaTestCases:include-annotation:\ android.platform.test.annotations.RequiresDevice Bug: 131677974 Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b 2019-04-30 14:09:28 +02:00			`# mediacodec should never execute any executable without a domain transition`
			`neverallow mediacodec { file_type fs_type }:file execute_no_trans;`

			`# Media processing code is inherently risky and thus should have limited`
			`# permissions and be isolated from the rest of the system and network.`
			`# Lengthier explanation here:`
			`# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html`
Allow binder services to r/w su:tcp_socket Test: binderHostDeviceTest Bug: 182914638 Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9 2021-06-07 21:37:31 +02:00			`neverallow mediacodec domain:{ udp_socket rawip_socket } *;`
			neverallow mediacodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
Properly define hal_codec2 and related policies Test: make cts -j123 && cts-tradefed run cts-dev -m \ CtsMediaTestCases --compatibility:module-arg \ CtsMediaTestCases:include-annotation:\ android.platform.test.annotations.RequiresDevice Bug: 131677974 Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b 2019-04-30 14:09:28 +02:00