From 19a74ec88a5716da878af2d850c88b231d8dbfbe Mon Sep 17 00:00:00 2001
From: Pawin Vongmasa <pawin@google.com>
Date: Wed, 28 Mar 2018 21:09:23 -0700
Subject: [PATCH] Put in sepolicies for Codec2.0 services

Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
(cherry picked from commit 4be28894772bccf5604fd36a75d07bb64e826c88)
---
 private/app_neverallows.te          | 2 ++
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/compat/27.0/27.0.ignore.cil | 1 +
 private/mediaserver.te              | 1 +
 private/system_server.te            | 1 +
 public/app.te                       | 1 +
 public/hwservice.te                 | 1 +
 public/mediacodec.te                | 1 +
 8 files changed, 9 insertions(+)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ca18c0396..819408ac3 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -173,10 +173,12 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
 #   by surfaceflinger Binder service, which apps are permitted to access
 # - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
 #   Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
 neverallow all_untrusted_apps {
   hwservice_manager_type
   -same_process_hwservice
   -coredomain_hwservice
+  -hal_codec2_hwservice
   -hal_configstore_ISurfaceFlingerConfigs
   -hal_graphics_allocator_hwservice
   -hal_omx_hwservice
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d4de3b956..0cd9d0e59 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -47,6 +47,7 @@
     hal_authsecret_hwservice
     hal_broadcastradio_hwservice
     hal_cas_hwservice
+    hal_codec2_hwservice
     hal_confirmationui_hwservice
     hal_lowpan_hwservice
     hal_neuralnetworks_hwservice
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fc00e9599..a375dc832 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -42,6 +42,7 @@
     fingerprint_vendor_data_file
     fs_bpf
     hal_authsecret_hwservice
+    hal_codec2_hwservice
     hal_confirmationui_hwservice
     hal_lowpan_hwservice
     hal_secure_element_hwservice
diff --git a/private/mediaserver.te b/private/mediaserver.te
index a9b85be0c..a5fa9e10e 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -7,4 +7,5 @@ hal_client_domain(mediaserver, hal_graphics_allocator)
 
 # TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
 # of OMX HAL.
+allow mediaserver hal_codec2_hwservice:hwservice_manager find;
 allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 72d408aa6..48ec63499 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -199,6 +199,7 @@ hal_client_domain(system_server, hal_light)
 hal_client_domain(system_server, hal_memtrack)
 hal_client_domain(system_server, hal_neuralnetworks)
 hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_codec2_hwservice:hwservice_manager find;
 allow system_server hal_omx_hwservice:hwservice_manager find;
 allow system_server hidl_token_hwservice:hwservice_manager find;
 hal_client_domain(system_server, hal_power)
diff --git a/public/app.te b/public/app.te
index 0c5008ddb..4ebf4803e 100644
--- a/public/app.te
+++ b/public/app.te
@@ -222,6 +222,7 @@ binder_call(appdomain, ephemeral_app)
 # TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
 # as OMX HAL
 hwbinder_use({ appdomain  -isolated_app })
+allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
 allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
 allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
 
diff --git a/public/hwservice.te b/public/hwservice.te
index 2b745c0b3..ca2025870 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -8,6 +8,7 @@ type hal_bluetooth_hwservice, hwservice_manager_type;
 type hal_bootctl_hwservice, hwservice_manager_type;
 type hal_broadcastradio_hwservice, hwservice_manager_type;
 type hal_camera_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
 type hal_confirmationui_hwservice, hwservice_manager_type;
 type hal_contexthub_hwservice, hwservice_manager_type;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index bcccbb81a..e5b4a7d35 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -33,6 +33,7 @@ allow mediacodec hal_camera:fd use;
 
 crash_dump_fallback(mediacodec)
 
+add_hwservice(mediacodec, hal_codec2_hwservice)
 add_hwservice(mediacodec, hal_omx_hwservice)
 
 hal_client_domain(mediacodec, hal_allocator)