2016-02-03 01:10:37 +01:00
|
|
|
# mediacodec - audio and video codecs live here
|
|
|
|
type mediacodec, domain;
|
2017-04-10 22:03:28 +02:00
|
|
|
type mediacodec_exec, exec_type, vendor_file_type, file_type;
|
2016-02-03 01:10:37 +01:00
|
|
|
|
|
|
|
typeattribute mediacodec mlstrustedsubject;
|
|
|
|
|
2017-03-22 17:16:49 +01:00
|
|
|
# TODO(b/36375899) attributize this domain appropriately as hal_omx
|
|
|
|
# and use macro hal_server_domain
|
|
|
|
get_prop(mediacodec, hwservicemanager_prop)
|
|
|
|
|
2016-02-03 01:10:37 +01:00
|
|
|
binder_use(mediacodec)
|
|
|
|
binder_call(mediacodec, binderservicedomain)
|
|
|
|
binder_call(mediacodec, appdomain)
|
|
|
|
binder_service(mediacodec)
|
|
|
|
|
2017-03-25 01:22:17 +01:00
|
|
|
# TODO(b/36604251): Remove this once OMX HAL stops using Binder
|
|
|
|
typeattribute mediacodec binder_in_vendor_violators;
|
2017-01-19 22:23:52 +01:00
|
|
|
add_service(mediacodec, mediacodec_service)
|
2017-01-24 21:53:45 +01:00
|
|
|
allow mediacodec mediametrics_service:service_manager find;
|
2016-02-28 06:25:03 +01:00
|
|
|
allow mediacodec surfaceflinger_service:service_manager find;
|
2016-02-03 01:10:37 +01:00
|
|
|
allow mediacodec gpu_device:chr_file rw_file_perms;
|
|
|
|
allow mediacodec video_device:chr_file rw_file_perms;
|
2016-02-11 19:33:57 +01:00
|
|
|
allow mediacodec video_device:dir search;
|
2016-02-24 19:03:25 +01:00
|
|
|
allow mediacodec ion_device:chr_file rw_file_perms;
|
2017-02-25 02:45:11 +01:00
|
|
|
allow mediacodec hal_camera:fd use;
|
|
|
|
|
2017-03-07 03:13:05 +01:00
|
|
|
crash_dump_fallback(mediacodec)
|
2016-02-03 01:10:37 +01:00
|
|
|
|
Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.
This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.
Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.
P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.
Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-21 22:28:53 +01:00
|
|
|
hal_client_domain(mediacodec, hal_allocator)
|
2017-01-24 11:45:16 +01:00
|
|
|
|
2017-03-30 04:08:34 +02:00
|
|
|
# allocate and use graphic buffers
|
|
|
|
hal_client_domain(mediacodec, hal_graphics_allocator)
|
|
|
|
|
2017-03-10 03:44:07 +01:00
|
|
|
# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
|
|
|
|
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
|
|
|
|
# between those two: it talks to mediacodec via Binder and talks to bufferhubd
|
|
|
|
# via PDX. Thus, there is no need to use use_pdx macro.
|
|
|
|
allow mediacodec bufferhubd:fd use;
|
|
|
|
|
2016-02-03 01:10:37 +01:00
|
|
|
###
|
|
|
|
### neverallow rules
|
|
|
|
###
|
|
|
|
|
|
|
|
# mediacodec should never execute any executable without a
|
|
|
|
# domain transition
|
|
|
|
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
|
|
|
|
|
2017-02-16 21:34:51 +01:00
|
|
|
# The goal of the mediaserver split is to place media processing code into
|
|
|
|
# restrictive sandboxes with limited responsibilities and thus limited
|
|
|
|
# permissions. Example: Audioserver is only responsible for controlling audio
|
|
|
|
# hardware and processing audio content. Cameraserver does the same for camera
|
|
|
|
# hardware/content. Etc.
|
|
|
|
#
|
|
|
|
# Media processing code is inherently risky and thus should have limited
|
|
|
|
# permissions and be isolated from the rest of the system and network.
|
|
|
|
# Lengthier explanation here:
|
|
|
|
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
2016-04-23 00:34:40 +02:00
|
|
|
neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
|