Merge "Properly define hal_codec2 and related policies" into qt-dev am: cf48bfd082
am: 789db9aeca
Change-Id: I33110eae784e8a6b891343143dc018f4ced9bcc6
This commit is contained in:
commit
aacbaf7685
34 changed files with 146 additions and 102 deletions
|
@ -311,9 +311,10 @@ full_treble_only(`
|
|||
neverallow all_untrusted_apps {
|
||||
halserverdomain
|
||||
-coredomain
|
||||
-hal_cas_server
|
||||
-hal_codec2_server
|
||||
-hal_configstore_server
|
||||
-hal_graphics_allocator_server
|
||||
-hal_cas_server
|
||||
-hal_neuralnetworks_server
|
||||
-hal_omx_server
|
||||
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
|
||||
|
|
|
@ -90,6 +90,7 @@ allow incidentd {
|
|||
hal_audio_server
|
||||
hal_bluetooth_server
|
||||
hal_camera_server
|
||||
hal_codec2_server
|
||||
hal_graphics_allocator_server
|
||||
hal_graphics_composer_server
|
||||
hal_health_server
|
||||
|
|
|
@ -6,3 +6,5 @@ tmpfs_domain(mediaserver)
|
|||
# allocate and use graphic buffers
|
||||
hal_client_domain(mediaserver, hal_graphics_allocator)
|
||||
hal_client_domain(mediaserver, hal_omx)
|
||||
hal_client_domain(mediaserver, hal_codec2)
|
||||
|
||||
|
|
|
@ -15,6 +15,7 @@ read_runtime_log_tags(surfaceflinger)
|
|||
hal_client_domain(surfaceflinger, hal_graphics_allocator)
|
||||
hal_client_domain(surfaceflinger, hal_graphics_composer)
|
||||
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
|
||||
hal_client_domain(surfaceflinger, hal_codec2)
|
||||
hal_client_domain(surfaceflinger, hal_omx)
|
||||
hal_client_domain(surfaceflinger, hal_configstore)
|
||||
hal_client_domain(surfaceflinger, hal_power)
|
||||
|
|
|
@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched };
|
|||
allow system_server audioserver:process { getsched setsched };
|
||||
allow system_server hal_audio:process { getsched setsched };
|
||||
allow system_server hal_bluetooth:process { getsched setsched };
|
||||
allow system_server hal_codec2_server:process { getsched setsched };
|
||||
allow system_server hal_omx_server:process { getsched setsched };
|
||||
allow system_server mediaswcodec:process { getsched setsched };
|
||||
allow system_server cameraserver:process { getsched setsched };
|
||||
|
@ -206,6 +207,7 @@ binder_service(system_server)
|
|||
hal_client_domain(system_server, hal_allocator)
|
||||
hal_client_domain(system_server, hal_authsecret)
|
||||
hal_client_domain(system_server, hal_broadcastradio)
|
||||
hal_client_domain(system_server, hal_codec2)
|
||||
hal_client_domain(system_server, hal_configstore)
|
||||
hal_client_domain(system_server, hal_contexthub)
|
||||
hal_client_domain(system_server, hal_face)
|
||||
|
@ -275,6 +277,7 @@ allow system_server {
|
|||
hal_audio_server
|
||||
hal_bluetooth_server
|
||||
hal_camera_server
|
||||
hal_codec2_server
|
||||
hal_graphics_allocator_server
|
||||
hal_graphics_composer_server
|
||||
hal_health_server
|
||||
|
|
|
@ -16,6 +16,10 @@
|
|||
; Unfortunately, we can't currently express this in module policy language:
|
||||
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
|
||||
|
||||
; Apps, except isolated apps, are clients of Codec2-related services
|
||||
; Unfortunately, we can't currently express this in module policy language:
|
||||
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
|
||||
|
||||
; Apps, except isolated apps, are clients of Configstore HAL
|
||||
; Unfortunately, we can't currently express this in module policy language:
|
||||
; typeattribute { appdomain -isolated_app } hal_configstore_client;
|
||||
|
|
|
@ -252,6 +252,7 @@ hal_attribute(bufferhub);
|
|||
hal_attribute(broadcastradio);
|
||||
hal_attribute(camera);
|
||||
hal_attribute(cas);
|
||||
hal_attribute(codec2);
|
||||
hal_attribute(configstore);
|
||||
hal_attribute(confirmationui);
|
||||
hal_attribute(contexthub);
|
||||
|
@ -305,7 +306,6 @@ hal_attribute(wifi_supplicant);
|
|||
|
||||
attribute camera_service_server;
|
||||
attribute display_service_server;
|
||||
attribute mediaswcodec_server;
|
||||
attribute scheduler_service_server;
|
||||
attribute sensor_service_server;
|
||||
attribute stats_service_server;
|
||||
|
|
|
@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms;
|
|||
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
|
||||
# Thus, there is no need to use pdx_client macro.
|
||||
allow bufferhubd hal_omx_server:fd use;
|
||||
|
||||
# Codec2 is similar to OMX
|
||||
allow bufferhubd hal_codec2_server:fd use;
|
||||
|
||||
|
|
|
@ -62,6 +62,7 @@ allow cameraserver shell:fifo_file { read write };
|
|||
|
||||
# Allow to talk with media codec
|
||||
allow cameraserver mediametrics_service:service_manager find;
|
||||
hal_client_domain(cameraserver, hal_codec2)
|
||||
hal_client_domain(cameraserver, hal_omx)
|
||||
hal_client_domain(cameraserver, hal_allocator)
|
||||
|
||||
|
|
|
@ -1063,8 +1063,8 @@ neverallow {
|
|||
-system_server
|
||||
|
||||
# Processes that can't exec crash_dump
|
||||
-hal_codec2_server
|
||||
-hal_omx_server
|
||||
-mediaswcodec_server
|
||||
-mediaextractor
|
||||
} tombstoned_crash_socket:unix_stream_socket connectto;
|
||||
|
||||
|
@ -1394,7 +1394,7 @@ full_treble_only(`
|
|||
|
||||
neverallow {
|
||||
domain
|
||||
-mediaswcodec_server
|
||||
-hal_codec2_server
|
||||
-hal_omx_server
|
||||
} hal_codec2_hwservice:hwservice_manager add;
|
||||
|
||||
|
|
|
@ -78,6 +78,7 @@ allow dumpstate {
|
|||
hal_audio_server
|
||||
hal_bluetooth_server
|
||||
hal_camera_server
|
||||
hal_codec2_server
|
||||
hal_drm_server
|
||||
hal_graphics_allocator_server
|
||||
hal_graphics_composer_server
|
||||
|
|
22
prebuilts/api/29.0/public/hal_codec2.te
Normal file
22
prebuilts/api/29.0/public/hal_codec2.te
Normal file
|
@ -0,0 +1,22 @@
|
|||
binder_call(hal_codec2_client, hal_codec2_server)
|
||||
binder_call(hal_codec2_server, hal_codec2_client)
|
||||
|
||||
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
|
||||
|
||||
# The following permissions are added to hal_codec2_server because vendor and
|
||||
# vndk libraries provided for Codec2 implementation need them.
|
||||
|
||||
# Allow server access to composer sync fences
|
||||
allow hal_codec2_server hal_graphics_composer:fd use;
|
||||
|
||||
# Allow both server and client access to ion
|
||||
allow hal_codec2_server ion_device:chr_file r_file_perms;
|
||||
|
||||
# Allow server access to camera HAL's fences
|
||||
allow hal_codec2_server hal_camera:fd use;
|
||||
|
||||
# Receive gralloc buffer FDs from bufferhubd.
|
||||
allow hal_codec2_server bufferhubd:fd use;
|
||||
|
||||
allow hal_codec2_client ion_device:chr_file r_file_perms;
|
||||
|
|
@ -1,7 +1,6 @@
|
|||
# applies all permissions to hal_omx NOT hal_omx_server
|
||||
# since OMX must always be in its own process.
|
||||
|
||||
|
||||
binder_call(hal_omx_server, binderservicedomain)
|
||||
binder_call(hal_omx_server, { appdomain -isolated_app })
|
||||
|
||||
|
@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use;
|
|||
|
||||
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
|
||||
|
||||
allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
|
||||
allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
|
||||
|
||||
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
|
||||
|
||||
binder_call(hal_omx_client, hal_omx_server)
|
||||
|
|
|
@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find;
|
|||
# for ModDrm/MediaPlayer
|
||||
allow mediaserver mediadrmserver_service:service_manager find;
|
||||
|
||||
# For interfacing with OMX HAL
|
||||
# For hybrid interfaces
|
||||
allow mediaserver hidl_token_hwservice:hwservice_manager find;
|
||||
|
||||
# /oem access
|
||||
|
|
|
@ -1,10 +1,27 @@
|
|||
type mediaswcodec, domain;
|
||||
type mediaswcodec_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
typeattribute mediaswcodec halserverdomain;
|
||||
typeattribute mediaswcodec mediaswcodec_server;
|
||||
hal_server_domain(mediaswcodec, hal_codec2)
|
||||
|
||||
# mediaswcodec may use an input surface from a different Codec2 service or an
|
||||
# OMX service
|
||||
hal_client_domain(mediaswcodec, hal_codec2)
|
||||
hal_client_domain(mediaswcodec, hal_omx)
|
||||
|
||||
hal_client_domain(mediaswcodec, hal_allocator)
|
||||
hal_client_domain(mediaswcodec, hal_graphics_allocator)
|
||||
|
||||
get_prop(mediaswcodec, device_config_media_native_prop)
|
||||
|
||||
crash_dump_fallback(mediaswcodec)
|
||||
|
||||
# mediaswcodec_server should never execute any executable without a
|
||||
# domain transition
|
||||
neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
# Add hal_codec2_hwservice to mediaswcodec_server
|
||||
allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
|
||||
allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
|
||||
|
||||
# Allow mediaswcodec_server access to composer sync fences
|
||||
allow mediaswcodec_server hal_graphics_composer:fd use;
|
||||
|
||||
allow mediaswcodec_server ion_device:chr_file r_file_perms;
|
||||
allow mediaswcodec_server hal_camera:fd use;
|
||||
|
||||
crash_dump_fallback(mediaswcodec_server)
|
||||
|
||||
# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
|
||||
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
|
||||
# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
|
||||
# via PDX. Thus, there is no need to use pdx_client macro.
|
||||
allow mediaswcodec_server bufferhubd:fd use;
|
||||
|
||||
binder_call(mediaswcodec_server, hal_omx_client)
|
||||
binder_call(hal_omx_client, mediaswcodec_server)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# mediaswcodec_server should never execute any executable without a
|
||||
# domain transition
|
||||
neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# The goal of the mediaserver/codec split is to place media processing code into
|
||||
# restrictive sandboxes with limited responsibilities and thus limited
|
||||
# permissions. Example: Audioserver is only responsible for controlling audio
|
||||
# hardware and processing audio content. Cameraserver does the same for camera
|
||||
# hardware/content. Etc.
|
||||
#
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
|
|
@ -260,9 +260,10 @@ full_treble_only(`
|
|||
neverallow all_untrusted_apps {
|
||||
halserverdomain
|
||||
-coredomain
|
||||
-hal_cas_server
|
||||
-hal_codec2_server
|
||||
-hal_configstore_server
|
||||
-hal_graphics_allocator_server
|
||||
-hal_cas_server
|
||||
-hal_neuralnetworks_server
|
||||
-hal_omx_server
|
||||
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
|
||||
|
|
|
@ -90,6 +90,7 @@ allow incidentd {
|
|||
hal_audio_server
|
||||
hal_bluetooth_server
|
||||
hal_camera_server
|
||||
hal_codec2_server
|
||||
hal_graphics_allocator_server
|
||||
hal_graphics_composer_server
|
||||
hal_health_server
|
||||
|
|
|
@ -6,3 +6,5 @@ tmpfs_domain(mediaserver)
|
|||
# allocate and use graphic buffers
|
||||
hal_client_domain(mediaserver, hal_graphics_allocator)
|
||||
hal_client_domain(mediaserver, hal_omx)
|
||||
hal_client_domain(mediaserver, hal_codec2)
|
||||
|
||||
|
|
|
@ -15,6 +15,7 @@ read_runtime_log_tags(surfaceflinger)
|
|||
hal_client_domain(surfaceflinger, hal_graphics_allocator)
|
||||
hal_client_domain(surfaceflinger, hal_graphics_composer)
|
||||
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
|
||||
hal_client_domain(surfaceflinger, hal_codec2)
|
||||
hal_client_domain(surfaceflinger, hal_omx)
|
||||
hal_client_domain(surfaceflinger, hal_configstore)
|
||||
hal_client_domain(surfaceflinger, hal_power)
|
||||
|
|
|
@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched };
|
|||
allow system_server audioserver:process { getsched setsched };
|
||||
allow system_server hal_audio:process { getsched setsched };
|
||||
allow system_server hal_bluetooth:process { getsched setsched };
|
||||
allow system_server hal_codec2_server:process { getsched setsched };
|
||||
allow system_server hal_omx_server:process { getsched setsched };
|
||||
allow system_server mediaswcodec:process { getsched setsched };
|
||||
allow system_server cameraserver:process { getsched setsched };
|
||||
|
@ -207,6 +208,7 @@ binder_service(system_server)
|
|||
hal_client_domain(system_server, hal_allocator)
|
||||
hal_client_domain(system_server, hal_authsecret)
|
||||
hal_client_domain(system_server, hal_broadcastradio)
|
||||
hal_client_domain(system_server, hal_codec2)
|
||||
hal_client_domain(system_server, hal_configstore)
|
||||
hal_client_domain(system_server, hal_contexthub)
|
||||
hal_client_domain(system_server, hal_face)
|
||||
|
@ -276,6 +278,7 @@ allow system_server {
|
|||
hal_audio_server
|
||||
hal_bluetooth_server
|
||||
hal_camera_server
|
||||
hal_codec2_server
|
||||
hal_graphics_allocator_server
|
||||
hal_graphics_composer_server
|
||||
hal_health_server
|
||||
|
|
|
@ -16,6 +16,10 @@
|
|||
; Unfortunately, we can't currently express this in module policy language:
|
||||
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
|
||||
|
||||
; Apps, except isolated apps, are clients of Codec2-related services
|
||||
; Unfortunately, we can't currently express this in module policy language:
|
||||
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
|
||||
|
||||
; Apps, except isolated apps, are clients of Configstore HAL
|
||||
; Unfortunately, we can't currently express this in module policy language:
|
||||
; typeattribute { appdomain -isolated_app } hal_configstore_client;
|
||||
|
|
|
@ -252,6 +252,7 @@ hal_attribute(bufferhub);
|
|||
hal_attribute(broadcastradio);
|
||||
hal_attribute(camera);
|
||||
hal_attribute(cas);
|
||||
hal_attribute(codec2);
|
||||
hal_attribute(configstore);
|
||||
hal_attribute(confirmationui);
|
||||
hal_attribute(contexthub);
|
||||
|
@ -305,7 +306,6 @@ hal_attribute(wifi_supplicant);
|
|||
|
||||
attribute camera_service_server;
|
||||
attribute display_service_server;
|
||||
attribute mediaswcodec_server;
|
||||
attribute scheduler_service_server;
|
||||
attribute sensor_service_server;
|
||||
attribute stats_service_server;
|
||||
|
|
|
@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms;
|
|||
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
|
||||
# Thus, there is no need to use pdx_client macro.
|
||||
allow bufferhubd hal_omx_server:fd use;
|
||||
|
||||
# Codec2 is similar to OMX
|
||||
allow bufferhubd hal_codec2_server:fd use;
|
||||
|
||||
|
|
|
@ -62,6 +62,7 @@ allow cameraserver shell:fifo_file { read write };
|
|||
|
||||
# Allow to talk with media codec
|
||||
allow cameraserver mediametrics_service:service_manager find;
|
||||
hal_client_domain(cameraserver, hal_codec2)
|
||||
hal_client_domain(cameraserver, hal_omx)
|
||||
hal_client_domain(cameraserver, hal_allocator)
|
||||
|
||||
|
|
|
@ -1054,8 +1054,8 @@ neverallow {
|
|||
-system_server
|
||||
|
||||
# Processes that can't exec crash_dump
|
||||
-hal_codec2_server
|
||||
-hal_omx_server
|
||||
-mediaswcodec_server
|
||||
-mediaextractor
|
||||
} tombstoned_crash_socket:unix_stream_socket connectto;
|
||||
|
||||
|
@ -1385,7 +1385,7 @@ full_treble_only(`
|
|||
|
||||
neverallow {
|
||||
domain
|
||||
-mediaswcodec_server
|
||||
-hal_codec2_server
|
||||
-hal_omx_server
|
||||
} hal_codec2_hwservice:hwservice_manager add;
|
||||
|
||||
|
|
|
@ -78,6 +78,7 @@ allow dumpstate {
|
|||
hal_audio_server
|
||||
hal_bluetooth_server
|
||||
hal_camera_server
|
||||
hal_codec2_server
|
||||
hal_drm_server
|
||||
hal_graphics_allocator_server
|
||||
hal_graphics_composer_server
|
||||
|
|
22
public/hal_codec2.te
Normal file
22
public/hal_codec2.te
Normal file
|
@ -0,0 +1,22 @@
|
|||
binder_call(hal_codec2_client, hal_codec2_server)
|
||||
binder_call(hal_codec2_server, hal_codec2_client)
|
||||
|
||||
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
|
||||
|
||||
# The following permissions are added to hal_codec2_server because vendor and
|
||||
# vndk libraries provided for Codec2 implementation need them.
|
||||
|
||||
# Allow server access to composer sync fences
|
||||
allow hal_codec2_server hal_graphics_composer:fd use;
|
||||
|
||||
# Allow both server and client access to ion
|
||||
allow hal_codec2_server ion_device:chr_file r_file_perms;
|
||||
|
||||
# Allow server access to camera HAL's fences
|
||||
allow hal_codec2_server hal_camera:fd use;
|
||||
|
||||
# Receive gralloc buffer FDs from bufferhubd.
|
||||
allow hal_codec2_server bufferhubd:fd use;
|
||||
|
||||
allow hal_codec2_client ion_device:chr_file r_file_perms;
|
||||
|
|
@ -1,7 +1,6 @@
|
|||
# applies all permissions to hal_omx NOT hal_omx_server
|
||||
# since OMX must always be in its own process.
|
||||
|
||||
|
||||
binder_call(hal_omx_server, binderservicedomain)
|
||||
binder_call(hal_omx_server, { appdomain -isolated_app })
|
||||
|
||||
|
@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use;
|
|||
|
||||
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
|
||||
|
||||
allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
|
||||
allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
|
||||
|
||||
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
|
||||
|
||||
binder_call(hal_omx_client, hal_omx_server)
|
||||
|
|
|
@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find;
|
|||
# for ModDrm/MediaPlayer
|
||||
allow mediaserver mediadrmserver_service:service_manager find;
|
||||
|
||||
# For interfacing with OMX HAL
|
||||
# For hybrid interfaces
|
||||
allow mediaserver hidl_token_hwservice:hwservice_manager find;
|
||||
|
||||
# /oem access
|
||||
|
|
|
@ -1,10 +1,27 @@
|
|||
type mediaswcodec, domain;
|
||||
type mediaswcodec_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
typeattribute mediaswcodec halserverdomain;
|
||||
typeattribute mediaswcodec mediaswcodec_server;
|
||||
hal_server_domain(mediaswcodec, hal_codec2)
|
||||
|
||||
# mediaswcodec may use an input surface from a different Codec2 service or an
|
||||
# OMX service
|
||||
hal_client_domain(mediaswcodec, hal_codec2)
|
||||
hal_client_domain(mediaswcodec, hal_omx)
|
||||
|
||||
hal_client_domain(mediaswcodec, hal_allocator)
|
||||
hal_client_domain(mediaswcodec, hal_graphics_allocator)
|
||||
|
||||
get_prop(mediaswcodec, device_config_media_native_prop)
|
||||
|
||||
crash_dump_fallback(mediaswcodec)
|
||||
|
||||
# mediaswcodec_server should never execute any executable without a
|
||||
# domain transition
|
||||
neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
# Add hal_codec2_hwservice to mediaswcodec_server
|
||||
allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
|
||||
allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
|
||||
|
||||
# Allow mediaswcodec_server access to composer sync fences
|
||||
allow mediaswcodec_server hal_graphics_composer:fd use;
|
||||
|
||||
allow mediaswcodec_server ion_device:chr_file r_file_perms;
|
||||
allow mediaswcodec_server hal_camera:fd use;
|
||||
|
||||
crash_dump_fallback(mediaswcodec_server)
|
||||
|
||||
# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
|
||||
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
|
||||
# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
|
||||
# via PDX. Thus, there is no need to use pdx_client macro.
|
||||
allow mediaswcodec_server bufferhubd:fd use;
|
||||
|
||||
binder_call(mediaswcodec_server, hal_omx_client)
|
||||
binder_call(hal_omx_client, mediaswcodec_server)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# mediaswcodec_server should never execute any executable without a
|
||||
# domain transition
|
||||
neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# The goal of the mediaserver/codec split is to place media processing code into
|
||||
# restrictive sandboxes with limited responsibilities and thus limited
|
||||
# permissions. Example: Audioserver is only responsible for controlling audio
|
||||
# hardware and processing audio content. Cameraserver does the same for camera
|
||||
# hardware/content. Etc.
|
||||
#
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
|
1
vendor/hal_drm_default.te
vendored
1
vendor/hal_drm_default.te
vendored
|
@ -4,6 +4,7 @@ hal_server_domain(hal_drm_default, hal_drm)
|
|||
type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_drm_default)
|
||||
|
||||
allow hal_drm_default hal_codec2_server:fd use;
|
||||
allow hal_drm_default hal_omx_server:fd use;
|
||||
allow hal_drm_default { appdomain -isolated_app }:fd use;
|
||||
|
||||
|
|
17
vendor/mediacodec.te
vendored
17
vendor/mediacodec.te
vendored
|
@ -15,12 +15,29 @@ not_full_treble(`
|
|||
# can route /dev/binder traffic to /dev/vndbinder
|
||||
vndbinder_use(mediacodec)
|
||||
|
||||
hal_server_domain(mediacodec, hal_codec2)
|
||||
hal_server_domain(mediacodec, hal_omx)
|
||||
|
||||
# mediacodec may use an input surface from a different Codec2 or OMX service
|
||||
hal_client_domain(mediacodec, hal_codec2)
|
||||
hal_client_domain(mediacodec, hal_omx)
|
||||
|
||||
hal_client_domain(mediacodec, hal_allocator)
|
||||
hal_client_domain(mediacodec, hal_graphics_allocator)
|
||||
|
||||
allow mediacodec gpu_device:chr_file rw_file_perms;
|
||||
allow mediacodec ion_device:chr_file rw_file_perms;
|
||||
allow mediacodec video_device:chr_file rw_file_perms;
|
||||
allow mediacodec video_device:dir search;
|
||||
|
||||
crash_dump_fallback(mediacodec)
|
||||
|
||||
# mediacodec should never execute any executable without a domain transition
|
||||
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
||||
|
|
Loading…
Reference in a new issue