platform_system_sepolicy/vendor/mediacodec.te

type mediacodec, domain, mlstrustedsubject;
type mediacodec_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(mediacodec)

not_full_treble(`
    # on legacy devices, continue to allow /dev/binder traffic
    binder_use(mediacodec)
    binder_service(mediacodec)
    add_service(mediacodec, mediacodec_service)
    allow mediacodec mediametrics_service:service_manager find;
    allow mediacodec surfaceflinger_service:service_manager find;
')

# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(mediacodec)

hal_server_domain(mediacodec, hal_omx)

hal_client_domain(mediacodec, hal_allocator)
hal_client_domain(mediacodec, hal_graphics_allocator)

allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
mediacodec->mediacodec+hal_omx{,_server,_client} (breaks vendor blobs, will have to be regenerated after this CL) This moves mediacodec to vendor so it is replaced with hal_omx_server. The main benefit of this is that someone can create their own implementation of mediacodec without having to alter the one in the tree. mediacodec is still seccomp enforced by CTS tests. Fixes: 36375899 Test: (sanity) YouTube Test: (sanity) camera pics + video Test: check for denials Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e 2018-05-26 01:23:37 +02:00			`type mediacodec, domain, mlstrustedsubject;`
			`type mediacodec_exec, exec_type, vendor_file_type, file_type;`

			`init_daemon_domain(mediacodec)`

			not_full_treble(`
			`# on legacy devices, continue to allow /dev/binder traffic`
			`binder_use(mediacodec)`
			`binder_service(mediacodec)`
			`add_service(mediacodec, mediacodec_service)`
			`allow mediacodec mediametrics_service:service_manager find;`
			`allow mediacodec surfaceflinger_service:service_manager find;`
			`')`

add mediaswcodec service Set up a new service for sw media codec services. Bug: 111407413 Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e 2018-09-20 21:07:44 +02:00			`# can route /dev/binder traffic to /dev/vndbinder`
			`vndbinder_use(mediacodec)`

mediacodec->mediacodec+hal_omx{,_server,_client} (breaks vendor blobs, will have to be regenerated after this CL) This moves mediacodec to vendor so it is replaced with hal_omx_server. The main benefit of this is that someone can create their own implementation of mediacodec without having to alter the one in the tree. mediacodec is still seccomp enforced by CTS tests. Fixes: 36375899 Test: (sanity) YouTube Test: (sanity) camera pics + video Test: check for denials Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e 2018-05-26 01:23:37 +02:00			`hal_server_domain(mediacodec, hal_omx)`

			`hal_client_domain(mediacodec, hal_allocator)`
			`hal_client_domain(mediacodec, hal_graphics_allocator)`
add mediaswcodec service Set up a new service for sw media codec services. Bug: 111407413 Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e 2018-09-20 21:07:44 +02:00
			`allow mediacodec gpu_device:chr_file rw_file_perms;`
			`allow mediacodec video_device:chr_file rw_file_perms;`
			`allow mediacodec video_device:dir search;`