Put in sepolicies for Codec2.0 services

am: 19a74ec88a Change-Id: I056c32b9a3b4916d0f8d35e5a7f069d16783090f
2018-05-04 16:58:06 -07:00 · 2018-05-04 16:58:06 -07:00 · 8144a92bad
commit 8144a92bad
parent bc34fa26ac 19a74ec88a
8 changed files with 9 additions and 0 deletions
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -173,10 +173,12 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
 #   by surfaceflinger Binder service, which apps are permitted to access
 # - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
 #   Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
 neverallow all_untrusted_apps {
  hwservice_manager_type
  -same_process_hwservice
  -coredomain_hwservice
+  -hal_codec2_hwservice
  -hal_configstore_ISurfaceFlingerConfigs
  -hal_graphics_allocator_hwservice
  -hal_omx_hwservice
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@ -47,6 +47,7 @@
    hal_authsecret_hwservice
    hal_broadcastradio_hwservice
    hal_cas_hwservice
+    hal_codec2_hwservice
    hal_confirmationui_hwservice
    hal_lowpan_hwservice
    hal_neuralnetworks_hwservice
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@ -42,6 +42,7 @@
    fingerprint_vendor_data_file
    fs_bpf
    hal_authsecret_hwservice
+    hal_codec2_hwservice
    hal_confirmationui_hwservice
    hal_lowpan_hwservice
    hal_secure_element_hwservice
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@ -7,4 +7,5 @@ hal_client_domain(mediaserver, hal_graphics_allocator)

 # TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
 # of OMX HAL.
+allow mediaserver hal_codec2_hwservice:hwservice_manager find;
 allow mediaserver hal_omx_hwservice:hwservice_manager find;
--- a/private/system_server.te
+++ b/private/system_server.te
@ -199,6 +199,7 @@ hal_client_domain(system_server, hal_light)
 hal_client_domain(system_server, hal_memtrack)
 hal_client_domain(system_server, hal_neuralnetworks)
 hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_codec2_hwservice:hwservice_manager find;
 allow system_server hal_omx_hwservice:hwservice_manager find;
 allow system_server hidl_token_hwservice:hwservice_manager find;
 hal_client_domain(system_server, hal_power)
--- a/public/app.te
+++ b/public/app.te
@ -222,6 +222,7 @@ binder_call(appdomain, ephemeral_app)
 # TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
 # as OMX HAL
 hwbinder_use({ appdomain  -isolated_app })
+allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
 allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
 allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;

--- a/public/hwservice.te
+++ b/public/hwservice.te
@ -8,6 +8,7 @@ type hal_bluetooth_hwservice, hwservice_manager_type;
 type hal_bootctl_hwservice, hwservice_manager_type;
 type hal_broadcastradio_hwservice, hwservice_manager_type;
 type hal_camera_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
 type hal_confirmationui_hwservice, hwservice_manager_type;
 type hal_contexthub_hwservice, hwservice_manager_type;
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@ -33,6 +33,7 @@ allow mediacodec hal_camera:fd use;

 crash_dump_fallback(mediacodec)

+add_hwservice(mediacodec, hal_codec2_hwservice)
 add_hwservice(mediacodec, hal_omx_hwservice)

 hal_client_domain(mediacodec, hal_allocator)