From a7cd26e6649c979c9621644d3175b87b18088e16 Mon Sep 17 00:00:00 2001
From: Hridya Valsaraju <hridya@google.com>
Date: Thu, 10 Sep 2020 15:43:07 -0700
Subject: [PATCH 1/2] Define a new selinux label for DMABUF system heap

Define the label dmabuf_system_heap_device for /dev/dma_heap/system.
This the default DMA-BUF heap that Codec2 will use one ION is
deprecated.
Test: video playback without denials with DMA-BUF heaps enabled
Bug: 168333162

Change-Id: Ief48165cd804bde00e1881a693b5eb44a45b633b
---
 private/compat/30.0/30.0.ignore.cil | 1 +
 private/file_contexts               | 1 +
 public/device.te                    | 1 +
 3 files changed, 3 insertions(+)

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index d05cc4dca..57bc74380 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -9,6 +9,7 @@
     apex_info_file
     cgroup_v2
     debugfs_kprobes
+    dmabuf_system_heap_device
     gki_apex_prepostinstall
     gki_apex_prepostinstall_exec
     hal_fingerprint_service
diff --git a/private/file_contexts b/private/file_contexts
index 8fa09bb49..6a9507a54 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -92,6 +92,7 @@
 /dev/bus/usb(.*)?       u:object_r:usb_device:s0
 /dev/console		u:object_r:console_device:s0
 /dev/cpu_variant:.*     u:object_r:dev_cpu_variant:s0
+/dev/dma_heap/system    u:object_r:dmabuf_system_heap_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0
diff --git a/public/device.te b/public/device.te
index 43d63225e..4282a2535 100644
--- a/public/device.te
+++ b/public/device.te
@@ -44,6 +44,7 @@ type zero_device, dev_type, mlstrustedobject;
 type fuse_device, dev_type, mlstrustedobject;
 type iio_device, dev_type;
 type ion_device, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dev_type, mlstrustedobject;
 type qtaguid_device, dev_type;
 type watchdog_device, dev_type;
 type uhid_device, dev_type;

From a0e1be0fd3022ec65a877aa5e0f3d7fd7205a23e Mon Sep 17 00:00:00 2001
From: Hridya Valsaraju <hridya@google.com>
Date: Fri, 11 Sep 2020 14:00:59 -0700
Subject: [PATCH 2/2] Add permissions required for new DMA-BUF heap allocator

avc: denied { read } for comm=4E444B204D65646961436F6465635F name="system" dev="tmpfs" ino=379
scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1 avc: denied { open } for comm=4E444B204D65646961436F6465635F
path="/dev/dma_heap/system" dev="tmpfs" ino=379 scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read }
for comm="HwBinder:413_3" name="system" dev="tmpfs" ino=379 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0 avc: denied { ioctl }
for comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system" dev="tmpfs" ino=379
ioctlcmd=0x4800 scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0
tclass=chr_file permissive=1 avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system" dev="tmpfs" ino=379 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0
app=com.android.systemui it(0.0:83): avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system" dev="tmpfs" ino=379 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0
app=com.android.systemui

Test: video playback without denials with DMA-BUF heaps enabled
Bug: 168333162
Change-Id: If936c5561ebf891e4b687a2c18760d16e0d31275
---
 private/system_server.te | 3 +++
 public/app.te            | 1 +
 public/mediaswcodec.te   | 1 +
 3 files changed, 5 insertions(+)

diff --git a/private/system_server.te b/private/system_server.te
index bd57ad8ed..6d3d42c82 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -933,6 +933,9 @@ allow system_server ion_device:chr_file r_file_perms;
 allow system_server cgroup_v2:dir rw_dir_perms;
 allow system_server cgroup_v2:file rw_file_perms;
 
+# Access to /dev/dma_heap/system
+allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
+
 r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net_type)
 r_dir_file(system_server, proc_qtaguid_stat)
diff --git a/public/app.te b/public/app.te
index 8263c09e3..ad1696fdd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -308,6 +308,7 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
 
 # Allow AAudio apps to use shared memory file descriptors from the HAL
 allow { appdomain -isolated_app } hal_audio:fd use;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 992baabae..8e35225c9 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -23,3 +23,4 @@ neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
 
+allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;