platform_system_sepolicy/public/hal_omx.te

# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.

binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })

# Allow hal_omx_server access to composer sync fences
allow hal_omx_server hal_graphics_composer:fd use;

allow hal_omx_server ion_device:chr_file rw_file_perms;
allow hal_omx_server hal_camera:fd use;

crash_dump_fallback(hal_omx_server)

# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
# via PDX. Thus, there is no need to use pdx_client macro.
allow hal_omx_server bufferhubd:fd use;

hal_attribute_hwservice(hal_omx, hal_omx_hwservice)

allow hal_omx_client hidl_token_hwservice:hwservice_manager find;

get_prop(hal_omx_client, media_variant_prop)
get_prop(hal_omx_server, media_variant_prop)

binder_call(hal_omx_client, hal_omx_server)
binder_call(hal_omx_server, hal_omx_client)

###
### neverallow rules
###

# hal_omx_server should never execute any executable without a
# domain transition
neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;

# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
mediacodec->mediacodec+hal_omx{,_server,_client} (breaks vendor blobs, will have to be regenerated after this CL) This moves mediacodec to vendor so it is replaced with hal_omx_server. The main benefit of this is that someone can create their own implementation of mediacodec without having to alter the one in the tree. mediacodec is still seccomp enforced by CTS tests. Fixes: 36375899 Test: (sanity) YouTube Test: (sanity) camera pics + video Test: check for denials Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e 2018-05-26 01:23:37 +02:00			`# applies all permissions to hal_omx NOT hal_omx_server`
			`# since OMX must always be in its own process.`

			`binder_call(hal_omx_server, binderservicedomain)`
			`binder_call(hal_omx_server, { appdomain -isolated_app })`

			`# Allow hal_omx_server access to composer sync fences`
			`allow hal_omx_server hal_graphics_composer:fd use;`

			`allow hal_omx_server ion_device:chr_file rw_file_perms;`
			`allow hal_omx_server hal_camera:fd use;`

			`crash_dump_fallback(hal_omx_server)`

			`# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never`
			`# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge`
			`# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd`
			`# via PDX. Thus, there is no need to use pdx_client macro.`
			`allow hal_omx_server bufferhubd:fd use;`

hal_attribute_hwservice_client drop '_client' Since this attribute just associates a hal_attribute with a given hwservice in the standard way. Bug: 80319537 Test: boot + sanity + test for denials Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e 2018-06-06 18:30:18 +02:00			`hal_attribute_hwservice(hal_omx, hal_omx_hwservice)`
add mediaswcodec service Set up a new service for sw media codec services. Bug: 111407413 Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e 2018-09-20 21:07:44 +02:00
mediacodec->mediacodec+hal_omx{,_server,_client} (breaks vendor blobs, will have to be regenerated after this CL) This moves mediacodec to vendor so it is replaced with hal_omx_server. The main benefit of this is that someone can create their own implementation of mediacodec without having to alter the one in the tree. mediacodec is still seccomp enforced by CTS tests. Fixes: 36375899 Test: (sanity) YouTube Test: (sanity) camera pics + video Test: check for denials Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e 2018-05-26 01:23:37 +02:00			`allow hal_omx_client hidl_token_hwservice:hwservice_manager find;`

Allow XML file paths to be customized with sysprop Three properties are declared as vendor-init-settable: ro.media.xml_variant.codecs ro.media.xml_variant.codecs_performance ro.media.xml_variant.profiles media_codecs.xml can now be named media_codecs${ro.media.xml_variant.codecs}.xml media_codecs_performance.xml can now be named media_codecs_performance${ro.media.xml_variant.codecs_performance}.xml media_profiles_V1_0 can now be named media_profiles${ro.media.xml_variant.profiles}.xml Test: Rename "media_codecs.xml" to "media_codecs_test.xml", set ro.media.xml_variant.codecs to "_test", then call "stagefright -i". Test: Rename "media_codecs_performance.xml" to "media_codecs_performance_test.xml", set ro.media.xml_variant.codecs_performance to "_test", then run android.media.cts.VideoDecoderPerfTest. Test: Rename "media_profiles_V1_0.xml" to "media_profiles_test.xml", set ro.media.xml_variant.profiles to "_test", then run vts_mediaProfiles_validate_test. Bug: 142102953 Change-Id: I407a0a327fcc8e799bb4079b11048a497565be48 2020-03-07 13:15:38 +01:00			`get_prop(hal_omx_client, media_variant_prop)`
			`get_prop(hal_omx_server, media_variant_prop)`

mediacodec->mediacodec+hal_omx{,_server,_client} (breaks vendor blobs, will have to be regenerated after this CL) This moves mediacodec to vendor so it is replaced with hal_omx_server. The main benefit of this is that someone can create their own implementation of mediacodec without having to alter the one in the tree. mediacodec is still seccomp enforced by CTS tests. Fixes: 36375899 Test: (sanity) YouTube Test: (sanity) camera pics + video Test: check for denials Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e 2018-05-26 01:23:37 +02:00			`binder_call(hal_omx_client, hal_omx_server)`
Find hal_foo_hwservice -> you are hal_foo_client. Before, it was possible to access a hwservice without declaring that you were a client. This introduces the following macro: hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice) which makes sure the above implication holds using a neverallow rule. Bug: 80319537 Test: boot + sanity Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6 2018-05-31 01:43:17 +02:00			`binder_call(hal_omx_server, hal_omx_client)`
mediacodec->mediacodec+hal_omx{,_server,_client} (breaks vendor blobs, will have to be regenerated after this CL) This moves mediacodec to vendor so it is replaced with hal_omx_server. The main benefit of this is that someone can create their own implementation of mediacodec without having to alter the one in the tree. mediacodec is still seccomp enforced by CTS tests. Fixes: 36375899 Test: (sanity) YouTube Test: (sanity) camera pics + video Test: check for denials Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e 2018-05-26 01:23:37 +02:00
			`###`
			`### neverallow rules`
			`###`

			`# hal_omx_server should never execute any executable without a`
			`# domain transition`
			`neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;`

			`# The goal of the mediaserver split is to place media processing code into`
			`# restrictive sandboxes with limited responsibilities and thus limited`
			`# permissions. Example: Audioserver is only responsible for controlling audio`
			`# hardware and processing audio content. Cameraserver does the same for camera`
			`# hardware/content. Etc.`
			`#`
			`# Media processing code is inherently risky and thus should have limited`
			`# permissions and be isolated from the rest of the system and network.`
			`# Lengthier explanation here:`
			`# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html`
Allow binder services to r/w su:tcp_socket Test: binderHostDeviceTest Bug: 182914638 Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9 2021-06-07 21:37:31 +02:00			`neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;`
			neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;