Allow for server-side configuration of libstagefright

Relaxation of SELinux policies to allow users of libstagefright and MediaCodec to be able to query server-side configurable flags. Bug: 301372559 Bug: 301250938 Bug: 308043377 Fixes: 308043377 Test: run cts -m CtsSecurityHostTestCases Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c Merged-In: I95aa6772a40599636d109d6960c2898e44648c9b (cherry picked from commit 1b32bccc1a)
2023-09-26 12:53:21 -06:00 · 2023-09-26 12:53:21 -06:00 · 660e460e8c
commit 660e460e8c
parent 8deb864534
7 changed files with 19 additions and 3 deletions
--- a/prebuilts/api/31.0/public/domain.te
+++ b/prebuilts/api/31.0/public/domain.te
@ -353,6 +353,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;

+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
+
 ###
 ### neverallow rules
 ###
--- a/prebuilts/api/31.0/public/property.te
+++ b/prebuilts/api/31.0/public/property.te
@ -8,7 +8,6 @@ system_internal_prop(bootloader_boot_reason_prop)
 system_internal_prop(device_config_activity_manager_native_boot_prop)
 system_internal_prop(device_config_boot_count_prop)
 system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
 system_internal_prop(device_config_netd_native_prop)
 system_internal_prop(device_config_reset_performed_prop)
 system_internal_prop(firstboot_prop)
@ -65,6 +64,7 @@ system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
 system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_media_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 system_restricted_prop(device_config_runtime_native_prop)
 system_restricted_prop(fingerprint_prop)
--- a/prebuilts/api/32.0/public/domain.te
+++ b/prebuilts/api/32.0/public/domain.te
@ -353,6 +353,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;

+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
+
 ###
 ### neverallow rules
 ###
--- a/prebuilts/api/32.0/public/property.te
+++ b/prebuilts/api/32.0/public/property.te
@ -8,7 +8,6 @@ system_internal_prop(bootloader_boot_reason_prop)
 system_internal_prop(device_config_activity_manager_native_boot_prop)
 system_internal_prop(device_config_boot_count_prop)
 system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
 system_internal_prop(device_config_netd_native_prop)
 system_internal_prop(device_config_reset_performed_prop)
 system_internal_prop(firstboot_prop)
@ -65,6 +64,7 @@ system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
 system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_media_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 system_restricted_prop(device_config_runtime_native_prop)
 system_restricted_prop(fingerprint_prop)
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@ -359,6 +359,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;

+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
+
 ###
 ### neverallow rules
 ###
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@ -8,7 +8,6 @@ system_internal_prop(bootloader_boot_reason_prop)
 system_internal_prop(device_config_activity_manager_native_boot_prop)
 system_internal_prop(device_config_boot_count_prop)
 system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
 system_internal_prop(device_config_netd_native_prop)
 system_internal_prop(device_config_reset_performed_prop)
 system_internal_prop(firstboot_prop)
@ -64,6 +63,7 @@ system_restricted_prop(boottime_public_prop)
 system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
+system_restricted_prop(device_config_media_native_prop)
 system_restricted_prop(device_config_nnapi_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 system_restricted_prop(device_config_runtime_native_prop)
--- a/public/domain.te
+++ b/public/domain.te
@ -334,6 +334,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;

+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
+
 ###
 ### neverallow rules
 ###