C2 AIDL sepolicy update

Bug: 251850069 Test: presubmit Change-Id: Ica39920472de154aa01b8e270297553aedda6782
2023-08-21 18:10:35 -07:00 · 2023-08-21 18:10:35 -07:00 · a981983e70
commit a981983e70
parent eb0d40aa85
8 changed files with 12 additions and 1 deletions
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@ -70,6 +70,8 @@ var (
 		"android.hardware.input.processor.IInputProcessor/default":                EXCEPTION_NO_FUZZER,
 		"android.hardware.ir.IConsumerIr/default":                                 EXCEPTION_NO_FUZZER,
 		"android.hardware.light.ILights/default":                                  EXCEPTION_NO_FUZZER,
+		"android.hardware.media.c2.IComponentStore/default":                       EXCEPTION_NO_FUZZER,
+		"android.hardware.media.c2.IComponentStore/software":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.memtrack.IMemtrack/default":                             EXCEPTION_NO_FUZZER,
 		"android.hardware.net.nlinterceptor.IInterceptor/default":                 EXCEPTION_NO_FUZZER,
 		"android.hardware.nfc.INfc/default":                                       EXCEPTION_NO_FUZZER,
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@ -9,6 +9,7 @@
    dtbo_block_device
    ota_build_prop
    snapuserd_log_data_file
+    hal_codec2_service
    hal_threadnetwork_service
    virtual_camera_service
    ot_daemon_service
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@ -21,6 +21,8 @@ allow isolated_compute_app isolated_compute_allowed_device:chr_file { read write
 hal_client_domain(isolated_compute_app, hal_allocator)
 hwbinder_use(isolated_compute_app)

+hal_client_domain(isolated_compute_app, hal_codec2)
+
 allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;

 # Allow access to network sockets received over IPC. New socket creation is not
--- a/private/service_contexts
+++ b/private/service_contexts
@ -51,6 +51,8 @@ android.hardware.identity.IIdentityCredentialStore/default           u:object_r:
 android.hardware.input.processor.IInputProcessor/default           u:object_r:hal_input_processor_service:s0
 android.hardware.ir.IConsumerIr/default                              u:object_r:hal_ir_service:s0
 android.hardware.light.ILights/default                               u:object_r:hal_light_service:s0
+android.hardware.media.c2.IComponentStore/default                    u:object_r:hal_codec2_service:s0
+android.hardware.media.c2.IComponentStore/software                   u:object_r:hal_codec2_service:s0
 android.hardware.memtrack.IMemtrack/default                          u:object_r:hal_memtrack_service:s0
 android.hardware.net.nlinterceptor.IInterceptor/default              u:object_r:hal_nlinterceptor_service:s0
 android.hardware.nfc.INfc/default                                    u:object_r:hal_nfc_service:s0
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@ -7,6 +7,7 @@ binder_call(hal_codec2_client, hal_codec2_server)
 binder_call(hal_codec2_server, hal_codec2_client)

 hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+hal_attribute_service(hal_codec2, hal_codec2_service)

 # The following permissions are added to hal_codec2_server because vendor and
 # vndk libraries provided for Codec2 implementation need them.
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@ -21,7 +21,8 @@ neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
+neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;

 allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
 allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
--- a/public/service.te
+++ b/public/service.te
@ -285,6 +285,7 @@ type hal_broadcastradio_service, protected_service, hal_service_type, service_ma
 type hal_camera_service, protected_service, hal_service_type, service_manager_type;
 type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
 type hal_cas_service, hal_service_type, service_manager_type;
+type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service;
 type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
 type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
 type hal_drm_service, hal_service_type, service_manager_type;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -76,6 +76,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy     u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example     u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service         u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service   u:object_r:mediacodec_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service       u:object_r:hal_memtrack_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example    u:object_r:hal_memtrack_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service            u:object_r:hal_nfc_default_exec:s0