From 6d3e772828c0aaab5d611f6476f067efe9156b2a Mon Sep 17 00:00:00 2001 From: Brian Lindahl Date: Tue, 26 Sep 2023 12:53:21 -0600 Subject: [PATCH] Allow for server-side configuration of libstagefright Relaxation of SELinux policies to allow users of libstagefright and MediaCodec to be able to query server-side configurable flags. Bug: 301372559 Bug: 301250938 Test: run cts -m CtsSecurityHostTestCases Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c Merged-In: I72670ee42c268dd5747c2411d25959d366dd972c --- prebuilts/api/31.0/public/domain.te | 4 ++++ prebuilts/api/31.0/public/property.te | 2 +- prebuilts/api/32.0/public/domain.te | 4 ++++ prebuilts/api/32.0/public/property.te | 2 +- public/domain.te | 4 ++++ public/property.te | 2 +- 6 files changed, 15 insertions(+), 3 deletions(-) diff --git a/prebuilts/api/31.0/public/domain.te b/prebuilts/api/31.0/public/domain.te index 799a2f1c5..38266cd20 100644 --- a/prebuilts/api/31.0/public/domain.te +++ b/prebuilts/api/31.0/public/domain.te @@ -353,6 +353,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;') allow domain apex_mnt_dir:dir { getattr search }; allow domain apex_mnt_dir:lnk_file r_file_perms; +# Allow everyone to read media server-configurable flags, so that libstagefright can be +# configured using server-configurable flags +get_prop(domain, device_config_media_native_prop) + ### ### neverallow rules ### diff --git a/prebuilts/api/31.0/public/property.te b/prebuilts/api/31.0/public/property.te index 1d3f358fd..57b6ad606 100644 --- a/prebuilts/api/31.0/public/property.te +++ b/prebuilts/api/31.0/public/property.te @@ -8,7 +8,6 @@ system_internal_prop(bootloader_boot_reason_prop) system_internal_prop(device_config_activity_manager_native_boot_prop) system_internal_prop(device_config_boot_count_prop) system_internal_prop(device_config_input_native_boot_prop) -system_internal_prop(device_config_media_native_prop) system_internal_prop(device_config_netd_native_prop) system_internal_prop(device_config_reset_performed_prop) system_internal_prop(firstboot_prop) @@ -65,6 +64,7 @@ system_restricted_prop(bq_config_prop) system_restricted_prop(build_bootimage_prop) system_restricted_prop(build_prop) system_restricted_prop(charger_status_prop) +system_restricted_prop(device_config_media_native_prop) system_restricted_prop(device_config_runtime_native_boot_prop) system_restricted_prop(device_config_runtime_native_prop) system_restricted_prop(fingerprint_prop) diff --git a/prebuilts/api/32.0/public/domain.te b/prebuilts/api/32.0/public/domain.te index 799a2f1c5..38266cd20 100644 --- a/prebuilts/api/32.0/public/domain.te +++ b/prebuilts/api/32.0/public/domain.te @@ -353,6 +353,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;') allow domain apex_mnt_dir:dir { getattr search }; allow domain apex_mnt_dir:lnk_file r_file_perms; +# Allow everyone to read media server-configurable flags, so that libstagefright can be +# configured using server-configurable flags +get_prop(domain, device_config_media_native_prop) + ### ### neverallow rules ### diff --git a/prebuilts/api/32.0/public/property.te b/prebuilts/api/32.0/public/property.te index 2b2af6d19..f019b2304 100644 --- a/prebuilts/api/32.0/public/property.te +++ b/prebuilts/api/32.0/public/property.te @@ -8,7 +8,6 @@ system_internal_prop(bootloader_boot_reason_prop) system_internal_prop(device_config_activity_manager_native_boot_prop) system_internal_prop(device_config_boot_count_prop) system_internal_prop(device_config_input_native_boot_prop) -system_internal_prop(device_config_media_native_prop) system_internal_prop(device_config_netd_native_prop) system_internal_prop(device_config_reset_performed_prop) system_internal_prop(firstboot_prop) @@ -65,6 +64,7 @@ system_restricted_prop(bq_config_prop) system_restricted_prop(build_bootimage_prop) system_restricted_prop(build_prop) system_restricted_prop(charger_status_prop) +system_restricted_prop(device_config_media_native_prop) system_restricted_prop(device_config_runtime_native_boot_prop) system_restricted_prop(device_config_runtime_native_prop) system_restricted_prop(fingerprint_prop) diff --git a/public/domain.te b/public/domain.te index 799a2f1c5..38266cd20 100644 --- a/public/domain.te +++ b/public/domain.te @@ -353,6 +353,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;') allow domain apex_mnt_dir:dir { getattr search }; allow domain apex_mnt_dir:lnk_file r_file_perms; +# Allow everyone to read media server-configurable flags, so that libstagefright can be +# configured using server-configurable flags +get_prop(domain, device_config_media_native_prop) + ### ### neverallow rules ### diff --git a/public/property.te b/public/property.te index 2b2af6d19..f019b2304 100644 --- a/public/property.te +++ b/public/property.te @@ -8,7 +8,6 @@ system_internal_prop(bootloader_boot_reason_prop) system_internal_prop(device_config_activity_manager_native_boot_prop) system_internal_prop(device_config_boot_count_prop) system_internal_prop(device_config_input_native_boot_prop) -system_internal_prop(device_config_media_native_prop) system_internal_prop(device_config_netd_native_prop) system_internal_prop(device_config_reset_performed_prop) system_internal_prop(firstboot_prop) @@ -65,6 +64,7 @@ system_restricted_prop(bq_config_prop) system_restricted_prop(build_bootimage_prop) system_restricted_prop(build_prop) system_restricted_prop(charger_status_prop) +system_restricted_prop(device_config_media_native_prop) system_restricted_prop(device_config_runtime_native_boot_prop) system_restricted_prop(device_config_runtime_native_prop) system_restricted_prop(fingerprint_prop)