From a981983e70d23e4d05e74c117178d539d0fabd76 Mon Sep 17 00:00:00 2001
From: Wonsik Kim <wonsik@google.com>
Date: Mon, 21 Aug 2023 18:10:35 -0700
Subject: [PATCH] C2 AIDL sepolicy update

Bug: 251850069
Test: presubmit
Change-Id: Ica39920472de154aa01b8e270297553aedda6782
---
 build/soong/service_fuzzer_bindings.go | 2 ++
 private/compat/34.0/34.0.ignore.cil    | 1 +
 private/isolated_compute_app.te        | 2 ++
 private/service_contexts               | 2 ++
 public/hal_codec2.te                   | 1 +
 public/mediaswcodec.te                 | 3 ++-
 public/service.te                      | 1 +
 vendor/file_contexts                   | 1 +
 8 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 345a9d2db..e53f4683c 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -70,6 +70,8 @@ var (
 		"android.hardware.input.processor.IInputProcessor/default":                EXCEPTION_NO_FUZZER,
 		"android.hardware.ir.IConsumerIr/default":                                 EXCEPTION_NO_FUZZER,
 		"android.hardware.light.ILights/default":                                  EXCEPTION_NO_FUZZER,
+		"android.hardware.media.c2.IComponentStore/default":                       EXCEPTION_NO_FUZZER,
+		"android.hardware.media.c2.IComponentStore/software":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.memtrack.IMemtrack/default":                             EXCEPTION_NO_FUZZER,
 		"android.hardware.net.nlinterceptor.IInterceptor/default":                 EXCEPTION_NO_FUZZER,
 		"android.hardware.nfc.INfc/default":                                       EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index e16be8921..60b9ba618 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,6 +9,7 @@
     dtbo_block_device
     ota_build_prop
     snapuserd_log_data_file
+    hal_codec2_service
     hal_threadnetwork_service
     virtual_camera_service
     ot_daemon_service
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index d5e8a7409..5d4070d6c 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -21,6 +21,8 @@ allow isolated_compute_app isolated_compute_allowed_device:chr_file { read write
 hal_client_domain(isolated_compute_app, hal_allocator)
 hwbinder_use(isolated_compute_app)
 
+hal_client_domain(isolated_compute_app, hal_codec2)
+
 allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
 
 # Allow access to network sockets received over IPC. New socket creation is not
diff --git a/private/service_contexts b/private/service_contexts
index 71bd7e4af..746cde17f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -51,6 +51,8 @@ android.hardware.identity.IIdentityCredentialStore/default           u:object_r:
 android.hardware.input.processor.IInputProcessor/default           u:object_r:hal_input_processor_service:s0
 android.hardware.ir.IConsumerIr/default                              u:object_r:hal_ir_service:s0
 android.hardware.light.ILights/default                               u:object_r:hal_light_service:s0
+android.hardware.media.c2.IComponentStore/default                    u:object_r:hal_codec2_service:s0
+android.hardware.media.c2.IComponentStore/software                   u:object_r:hal_codec2_service:s0
 android.hardware.memtrack.IMemtrack/default                          u:object_r:hal_memtrack_service:s0
 android.hardware.net.nlinterceptor.IInterceptor/default              u:object_r:hal_nlinterceptor_service:s0
 android.hardware.nfc.INfc/default                                    u:object_r:hal_nfc_service:s0
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index a379bb3fc..f05e00a61 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -7,6 +7,7 @@ binder_call(hal_codec2_client, hal_codec2_server)
 binder_call(hal_codec2_server, hal_codec2_client)
 
 hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+hal_attribute_service(hal_codec2, hal_codec2_service)
 
 # The following permissions are added to hal_codec2_server because vendor and
 # vndk libraries provided for Codec2 implementation need them.
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index edbab03ee..b3b26c1d0 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -21,7 +21,8 @@ neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
+neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
 
 allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
 allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/service.te b/public/service.te
index d2e6ca399..8cc5acc9f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -285,6 +285,7 @@ type hal_broadcastradio_service, protected_service, hal_service_type, service_ma
 type hal_camera_service, protected_service, hal_service_type, service_manager_type;
 type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
 type hal_cas_service, hal_service_type, service_manager_type;
+type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service;
 type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
 type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
 type hal_drm_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 564ca9d2a..efe0b71b4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -76,6 +76,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy     u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example     u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service         u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service   u:object_r:mediacodec_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service       u:object_r:hal_memtrack_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example    u:object_r:hal_memtrack_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service            u:object_r:hal_nfc_default_exec:s0