Properly define hal_codec2 and related policies

Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 131677974
Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b

prebuilts/api/29.0/private/app_neverallows.te

@@ -311,9 +311,10 @@ full_treble_only(`
   neverallow all_untrusted_apps {
     halserverdomain
     -coredomain
+    -hal_cas_server
+    -hal_codec2_server
     -hal_configstore_server
     -hal_graphics_allocator_server
-    -hal_cas_server
     -hal_neuralnetworks_server
     -hal_omx_server
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone

prebuilts/api/29.0/private/incidentd.te

@@ -90,6 +90,7 @@ allow incidentd {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server

prebuilts/api/29.0/private/mediaserver.te

@@ -6,3 +6,5 @@ tmpfs_domain(mediaserver)
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)
 hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+

prebuilts/api/29.0/private/surfaceflinger.te

@@ -15,6 +15,7 @@ read_runtime_log_tags(surfaceflinger)
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
 hal_client_domain(surfaceflinger, hal_omx)
 hal_client_domain(surfaceflinger, hal_configstore)
 hal_client_domain(surfaceflinger, hal_power)

prebuilts/api/29.0/private/system_server.te

@@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched };
 allow system_server audioserver:process { getsched setsched };
 allow system_server hal_audio:process { getsched setsched };
 allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
 allow system_server hal_omx_server:process { getsched setsched };
 allow system_server mediaswcodec:process { getsched setsched };
 allow system_server cameraserver:process { getsched setsched };
@@ -206,6 +207,7 @@ binder_service(system_server)
 hal_client_domain(system_server, hal_allocator)
 hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_face)
@@ -275,6 +277,7 @@ allow system_server {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server

prebuilts/api/29.0/private/technical_debt.cil

@@ -16,6 +16,10 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
 
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_configstore_client;

prebuilts/api/29.0/public/attributes

@@ -252,6 +252,7 @@ hal_attribute(bufferhub);
 hal_attribute(broadcastradio);
 hal_attribute(camera);
 hal_attribute(cas);
+hal_attribute(codec2);
 hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
@@ -305,7 +306,6 @@ hal_attribute(wifi_supplicant);
 
 attribute camera_service_server;
 attribute display_service_server;
-attribute mediaswcodec_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;

prebuilts/api/29.0/public/bufferhubd.te

@@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms;
 # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
 # Thus, there is no need to use pdx_client macro.
 allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+

prebuilts/api/29.0/public/cameraserver.te

@@ -62,6 +62,7 @@ allow cameraserver shell:fifo_file { read write };
 
 # Allow to talk with media codec
 allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
 hal_client_domain(cameraserver, hal_omx)
 hal_client_domain(cameraserver, hal_allocator)
 

prebuilts/api/29.0/public/domain.te

@@ -1062,8 +1062,8 @@ neverallow {
   -system_server
 
   # Processes that can't exec crash_dump
+  -hal_codec2_server
   -hal_omx_server
-  -mediaswcodec_server
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
@@ -1393,7 +1393,7 @@ full_treble_only(`
 
 neverallow {
   domain
-  -mediaswcodec_server
+  -hal_codec2_server
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
 

prebuilts/api/29.0/public/dumpstate.te

@@ -77,6 +77,7 @@ allow dumpstate {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_drm_server
   hal_graphics_allocator_server
   hal_graphics_composer_server

prebuilts/api/29.0/public/hal_codec2.te

@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+

prebuilts/api/29.0/public/hal_omx.te

@@ -1,7 +1,6 @@
 # applies all permissions to hal_omx NOT hal_omx_server
 # since OMX must always be in its own process.
 
-
 binder_call(hal_omx_server, binderservicedomain)
 binder_call(hal_omx_server, { appdomain -isolated_app })
 
@@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use;
 
 hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
 
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
 allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
 
 binder_call(hal_omx_client, hal_omx_server)

prebuilts/api/29.0/public/mediaserver.te

@@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find;
 # for ModDrm/MediaPlayer
 allow mediaserver mediadrmserver_service:service_manager find;
 
-# For interfacing with OMX HAL
+# For hybrid interfaces
 allow mediaserver hidl_token_hwservice:hwservice_manager find;
 
 # /oem access

prebuilts/api/29.0/public/mediaswcodec.te

@@ -1,10 +1,27 @@
 type mediaswcodec, domain;
 type mediaswcodec_exec, system_file_type, exec_type, file_type;
 
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
 
 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
 get_prop(mediaswcodec, device_config_media_native_prop)
+
+crash_dump_fallback(mediaswcodec)
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+

prebuilts/api/29.0/public/swcodec_service_server.te

@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;

private/app_neverallows.te

@@ -311,9 +311,10 @@ full_treble_only(`
   neverallow all_untrusted_apps {
     halserverdomain
     -coredomain
+    -hal_cas_server
+    -hal_codec2_server
     -hal_configstore_server
     -hal_graphics_allocator_server
-    -hal_cas_server
     -hal_neuralnetworks_server
     -hal_omx_server
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone

private/incidentd.te

@@ -90,6 +90,7 @@ allow incidentd {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server

private/mediaserver.te

@@ -6,3 +6,5 @@ tmpfs_domain(mediaserver)
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)
 hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+

private/surfaceflinger.te

@@ -15,6 +15,7 @@ read_runtime_log_tags(surfaceflinger)
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
 hal_client_domain(surfaceflinger, hal_omx)
 hal_client_domain(surfaceflinger, hal_configstore)
 hal_client_domain(surfaceflinger, hal_power)

private/system_server.te

@@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched };
 allow system_server audioserver:process { getsched setsched };
 allow system_server hal_audio:process { getsched setsched };
 allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
 allow system_server hal_omx_server:process { getsched setsched };
 allow system_server mediaswcodec:process { getsched setsched };
 allow system_server cameraserver:process { getsched setsched };
@@ -206,6 +207,7 @@ binder_service(system_server)
 hal_client_domain(system_server, hal_allocator)
 hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_face)
@@ -275,6 +277,7 @@ allow system_server {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server

private/technical_debt.cil

@@ -16,6 +16,10 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
 
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_configstore_client;

public/attributes

@@ -252,6 +252,7 @@ hal_attribute(bufferhub);
 hal_attribute(broadcastradio);
 hal_attribute(camera);
 hal_attribute(cas);
+hal_attribute(codec2);
 hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
@@ -305,7 +306,6 @@ hal_attribute(wifi_supplicant);
 
 attribute camera_service_server;
 attribute display_service_server;
-attribute mediaswcodec_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;

public/bufferhubd.te

@@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms;
 # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
 # Thus, there is no need to use pdx_client macro.
 allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+

public/cameraserver.te

@@ -62,6 +62,7 @@ allow cameraserver shell:fifo_file { read write };
 
 # Allow to talk with media codec
 allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
 hal_client_domain(cameraserver, hal_omx)
 hal_client_domain(cameraserver, hal_allocator)
 

public/domain.te

@@ -1062,8 +1062,8 @@ neverallow {
   -system_server
 
   # Processes that can't exec crash_dump
+  -hal_codec2_server
   -hal_omx_server
-  -mediaswcodec_server
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
@@ -1393,7 +1393,7 @@ full_treble_only(`
 
 neverallow {
   domain
-  -mediaswcodec_server
+  -hal_codec2_server
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
 

public/dumpstate.te

@@ -77,6 +77,7 @@ allow dumpstate {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_drm_server
   hal_graphics_allocator_server
   hal_graphics_composer_server

public/hal_codec2.te

@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+

public/hal_omx.te

@@ -1,7 +1,6 @@
 # applies all permissions to hal_omx NOT hal_omx_server
 # since OMX must always be in its own process.
 
-
 binder_call(hal_omx_server, binderservicedomain)
 binder_call(hal_omx_server, { appdomain -isolated_app })
 
@@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use;
 
 hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
 
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
 allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
 
 binder_call(hal_omx_client, hal_omx_server)

public/mediaserver.te

@@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find;
 # for ModDrm/MediaPlayer
 allow mediaserver mediadrmserver_service:service_manager find;
 
-# For interfacing with OMX HAL
+# For hybrid interfaces
 allow mediaserver hidl_token_hwservice:hwservice_manager find;
 
 # /oem access

public/mediaswcodec.te

@@ -1,10 +1,27 @@
 type mediaswcodec, domain;
 type mediaswcodec_exec, system_file_type, exec_type, file_type;
 
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
 
 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
 get_prop(mediaswcodec, device_config_media_native_prop)
+
+crash_dump_fallback(mediaswcodec)
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+

public/swcodec_service_server.te

@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;

vendor/hal_drm_default.te

@@ -4,6 +4,7 @@ hal_server_domain(hal_drm_default, hal_drm)
 type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_drm_default)
 
+allow hal_drm_default hal_codec2_server:fd use;
 allow hal_drm_default hal_omx_server:fd use;
 allow hal_drm_default { appdomain -isolated_app }:fd use;
 

vendor/mediacodec.te

@@ -15,12 +15,29 @@ not_full_treble(`
 # can route /dev/binder traffic to /dev/vndbinder
 vndbinder_use(mediacodec)
 
+hal_server_domain(mediacodec, hal_codec2)
 hal_server_domain(mediacodec, hal_omx)
 
+# mediacodec may use an input surface from a different Codec2 or OMX service
+hal_client_domain(mediacodec, hal_codec2)
+hal_client_domain(mediacodec, hal_omx)
+
 hal_client_domain(mediacodec, hal_allocator)
 hal_client_domain(mediacodec, hal_graphics_allocator)
 
 allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;
 allow mediacodec video_device:dir search;
 
+crash_dump_fallback(mediacodec)
+
+# mediacodec should never execute any executable without a domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+