From 609c243dd0a361a0a00566b20c9bb2c6bf0f006f Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Tue, 30 Apr 2019 05:09:28 -0700 Subject: [PATCH] Properly define hal_codec2 and related policies Test: make cts -j123 && cts-tradefed run cts-dev -m \ CtsMediaTestCases --compatibility:module-arg \ CtsMediaTestCases:include-annotation:\ android.platform.test.annotations.RequiresDevice Bug: 131677974 Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b --- prebuilts/api/29.0/private/app_neverallows.te | 3 +- prebuilts/api/29.0/private/incidentd.te | 1 + prebuilts/api/29.0/private/mediaserver.te | 2 + prebuilts/api/29.0/private/surfaceflinger.te | 1 + prebuilts/api/29.0/private/system_server.te | 3 ++ prebuilts/api/29.0/private/technical_debt.cil | 4 ++ prebuilts/api/29.0/public/attributes | 2 +- prebuilts/api/29.0/public/bufferhubd.te | 4 ++ prebuilts/api/29.0/public/cameraserver.te | 1 + prebuilts/api/29.0/public/domain.te | 4 +- prebuilts/api/29.0/public/dumpstate.te | 1 + prebuilts/api/29.0/public/hal_codec2.te | 22 ++++++++++ prebuilts/api/29.0/public/hal_omx.te | 4 -- prebuilts/api/29.0/public/mediaserver.te | 2 +- prebuilts/api/29.0/public/mediaswcodec.te | 21 +++++++++- .../api/29.0/public/swcodec_service_server.te | 40 ------------------- private/app_neverallows.te | 3 +- private/incidentd.te | 1 + private/mediaserver.te | 2 + private/surfaceflinger.te | 1 + private/system_server.te | 3 ++ private/technical_debt.cil | 4 ++ public/attributes | 2 +- public/bufferhubd.te | 4 ++ public/cameraserver.te | 1 + public/domain.te | 4 +- public/dumpstate.te | 1 + public/hal_codec2.te | 22 ++++++++++ public/hal_omx.te | 4 -- public/mediaserver.te | 2 +- public/mediaswcodec.te | 21 +++++++++- public/swcodec_service_server.te | 40 ------------------- vendor/hal_drm_default.te | 1 + vendor/mediacodec.te | 17 ++++++++ 34 files changed, 146 insertions(+), 102 deletions(-) create mode 100644 prebuilts/api/29.0/public/hal_codec2.te delete mode 100644 prebuilts/api/29.0/public/swcodec_service_server.te create mode 100644 public/hal_codec2.te delete mode 100644 public/swcodec_service_server.te diff --git a/prebuilts/api/29.0/private/app_neverallows.te b/prebuilts/api/29.0/private/app_neverallows.te index 3c5b921a6..23e1fd2b4 100644 --- a/prebuilts/api/29.0/private/app_neverallows.te +++ b/prebuilts/api/29.0/private/app_neverallows.te @@ -311,9 +311,10 @@ full_treble_only(` neverallow all_untrusted_apps { halserverdomain -coredomain + -hal_cas_server + -hal_codec2_server -hal_configstore_server -hal_graphics_allocator_server - -hal_cas_server -hal_neuralnetworks_server -hal_omx_server -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te index 6f1095569..7b38911d2 100644 --- a/prebuilts/api/29.0/private/incidentd.te +++ b/prebuilts/api/29.0/private/incidentd.te @@ -90,6 +90,7 @@ allow incidentd { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/prebuilts/api/29.0/private/mediaserver.te b/prebuilts/api/29.0/private/mediaserver.te index b1cf64ad2..635cf4ec9 100644 --- a/prebuilts/api/29.0/private/mediaserver.te +++ b/prebuilts/api/29.0/private/mediaserver.te @@ -6,3 +6,5 @@ tmpfs_domain(mediaserver) # allocate and use graphic buffers hal_client_domain(mediaserver, hal_graphics_allocator) hal_client_domain(mediaserver, hal_omx) +hal_client_domain(mediaserver, hal_codec2) + diff --git a/prebuilts/api/29.0/private/surfaceflinger.te b/prebuilts/api/29.0/private/surfaceflinger.te index b1aa77591..123662724 100644 --- a/prebuilts/api/29.0/private/surfaceflinger.te +++ b/prebuilts/api/29.0/private/surfaceflinger.te @@ -15,6 +15,7 @@ read_runtime_log_tags(surfaceflinger) hal_client_domain(surfaceflinger, hal_graphics_allocator) hal_client_domain(surfaceflinger, hal_graphics_composer) typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs; +hal_client_domain(surfaceflinger, hal_codec2) hal_client_domain(surfaceflinger, hal_omx) hal_client_domain(surfaceflinger, hal_configstore) hal_client_domain(surfaceflinger, hal_power) diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te index 0d02657fc..f551780ce 100644 --- a/prebuilts/api/29.0/private/system_server.te +++ b/prebuilts/api/29.0/private/system_server.te @@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched }; allow system_server audioserver:process { getsched setsched }; allow system_server hal_audio:process { getsched setsched }; allow system_server hal_bluetooth:process { getsched setsched }; +allow system_server hal_codec2_server:process { getsched setsched }; allow system_server hal_omx_server:process { getsched setsched }; allow system_server mediaswcodec:process { getsched setsched }; allow system_server cameraserver:process { getsched setsched }; @@ -206,6 +207,7 @@ binder_service(system_server) hal_client_domain(system_server, hal_allocator) hal_client_domain(system_server, hal_authsecret) hal_client_domain(system_server, hal_broadcastradio) +hal_client_domain(system_server, hal_codec2) hal_client_domain(system_server, hal_configstore) hal_client_domain(system_server, hal_contexthub) hal_client_domain(system_server, hal_face) @@ -275,6 +277,7 @@ allow system_server { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/prebuilts/api/29.0/private/technical_debt.cil b/prebuilts/api/29.0/private/technical_debt.cil index d1215fea8..289f69e20 100644 --- a/prebuilts/api/29.0/private/technical_debt.cil +++ b/prebuilts/api/29.0/private/technical_debt.cil @@ -16,6 +16,10 @@ ; Unfortunately, we can't currently express this in module policy language: (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app)))))) +; Apps, except isolated apps, are clients of Codec2-related services +; Unfortunately, we can't currently express this in module policy language: +(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app)))))) + ; Apps, except isolated apps, are clients of Configstore HAL ; Unfortunately, we can't currently express this in module policy language: ; typeattribute { appdomain -isolated_app } hal_configstore_client; diff --git a/prebuilts/api/29.0/public/attributes b/prebuilts/api/29.0/public/attributes index 67979dafb..857efc5de 100644 --- a/prebuilts/api/29.0/public/attributes +++ b/prebuilts/api/29.0/public/attributes @@ -252,6 +252,7 @@ hal_attribute(bufferhub); hal_attribute(broadcastradio); hal_attribute(camera); hal_attribute(cas); +hal_attribute(codec2); hal_attribute(configstore); hal_attribute(confirmationui); hal_attribute(contexthub); @@ -305,7 +306,6 @@ hal_attribute(wifi_supplicant); attribute camera_service_server; attribute display_service_server; -attribute mediaswcodec_server; attribute scheduler_service_server; attribute sensor_service_server; attribute stats_service_server; diff --git a/prebuilts/api/29.0/public/bufferhubd.te b/prebuilts/api/29.0/public/bufferhubd.te index 7acfa6952..37edb5dce 100644 --- a/prebuilts/api/29.0/public/bufferhubd.te +++ b/prebuilts/api/29.0/public/bufferhubd.te @@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms; # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX. # Thus, there is no need to use pdx_client macro. allow bufferhubd hal_omx_server:fd use; + +# Codec2 is similar to OMX +allow bufferhubd hal_codec2_server:fd use; + diff --git a/prebuilts/api/29.0/public/cameraserver.te b/prebuilts/api/29.0/public/cameraserver.te index b2ee301a6..13ef1f738 100644 --- a/prebuilts/api/29.0/public/cameraserver.te +++ b/prebuilts/api/29.0/public/cameraserver.te @@ -62,6 +62,7 @@ allow cameraserver shell:fifo_file { read write }; # Allow to talk with media codec allow cameraserver mediametrics_service:service_manager find; +hal_client_domain(cameraserver, hal_codec2) hal_client_domain(cameraserver, hal_omx) hal_client_domain(cameraserver, hal_allocator) diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te index 6493ca4d3..493fe2f26 100644 --- a/prebuilts/api/29.0/public/domain.te +++ b/prebuilts/api/29.0/public/domain.te @@ -1062,8 +1062,8 @@ neverallow { -system_server # Processes that can't exec crash_dump + -hal_codec2_server -hal_omx_server - -mediaswcodec_server -mediaextractor } tombstoned_crash_socket:unix_stream_socket connectto; @@ -1393,7 +1393,7 @@ full_treble_only(` neverallow { domain - -mediaswcodec_server + -hal_codec2_server -hal_omx_server } hal_codec2_hwservice:hwservice_manager add; diff --git a/prebuilts/api/29.0/public/dumpstate.te b/prebuilts/api/29.0/public/dumpstate.te index 2906b5b4d..2e74734ac 100644 --- a/prebuilts/api/29.0/public/dumpstate.te +++ b/prebuilts/api/29.0/public/dumpstate.te @@ -77,6 +77,7 @@ allow dumpstate { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server hal_drm_server hal_graphics_allocator_server hal_graphics_composer_server diff --git a/prebuilts/api/29.0/public/hal_codec2.te b/prebuilts/api/29.0/public/hal_codec2.te new file mode 100644 index 000000000..60cd3b0c4 --- /dev/null +++ b/prebuilts/api/29.0/public/hal_codec2.te @@ -0,0 +1,22 @@ +binder_call(hal_codec2_client, hal_codec2_server) +binder_call(hal_codec2_server, hal_codec2_client) + +hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice) + +# The following permissions are added to hal_codec2_server because vendor and +# vndk libraries provided for Codec2 implementation need them. + +# Allow server access to composer sync fences +allow hal_codec2_server hal_graphics_composer:fd use; + +# Allow both server and client access to ion +allow hal_codec2_server ion_device:chr_file r_file_perms; + +# Allow server access to camera HAL's fences +allow hal_codec2_server hal_camera:fd use; + +# Receive gralloc buffer FDs from bufferhubd. +allow hal_codec2_server bufferhubd:fd use; + +allow hal_codec2_client ion_device:chr_file r_file_perms; + diff --git a/prebuilts/api/29.0/public/hal_omx.te b/prebuilts/api/29.0/public/hal_omx.te index 656b03ac8..707cae8c7 100644 --- a/prebuilts/api/29.0/public/hal_omx.te +++ b/prebuilts/api/29.0/public/hal_omx.te @@ -1,7 +1,6 @@ # applies all permissions to hal_omx NOT hal_omx_server # since OMX must always be in its own process. - binder_call(hal_omx_server, binderservicedomain) binder_call(hal_omx_server, { appdomain -isolated_app }) @@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use; hal_attribute_hwservice(hal_omx, hal_omx_hwservice) -allow hal_omx_client hal_codec2_hwservice:hwservice_manager find; -allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find }; - allow hal_omx_client hidl_token_hwservice:hwservice_manager find; binder_call(hal_omx_client, hal_omx_server) diff --git a/prebuilts/api/29.0/public/mediaserver.te b/prebuilts/api/29.0/public/mediaserver.te index dbdb05197..70d0a55b2 100644 --- a/prebuilts/api/29.0/public/mediaserver.te +++ b/prebuilts/api/29.0/public/mediaserver.te @@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find; # for ModDrm/MediaPlayer allow mediaserver mediadrmserver_service:service_manager find; -# For interfacing with OMX HAL +# For hybrid interfaces allow mediaserver hidl_token_hwservice:hwservice_manager find; # /oem access diff --git a/prebuilts/api/29.0/public/mediaswcodec.te b/prebuilts/api/29.0/public/mediaswcodec.te index e0027876d..2acdeeadd 100644 --- a/prebuilts/api/29.0/public/mediaswcodec.te +++ b/prebuilts/api/29.0/public/mediaswcodec.te @@ -1,10 +1,27 @@ type mediaswcodec, domain; type mediaswcodec_exec, system_file_type, exec_type, file_type; -typeattribute mediaswcodec halserverdomain; -typeattribute mediaswcodec mediaswcodec_server; +hal_server_domain(mediaswcodec, hal_codec2) + +# mediaswcodec may use an input surface from a different Codec2 service or an +# OMX service +hal_client_domain(mediaswcodec, hal_codec2) +hal_client_domain(mediaswcodec, hal_omx) hal_client_domain(mediaswcodec, hal_allocator) hal_client_domain(mediaswcodec, hal_graphics_allocator) get_prop(mediaswcodec, device_config_media_native_prop) + +crash_dump_fallback(mediaswcodec) + +# mediaswcodec_server should never execute any executable without a +# domain transition +neverallow mediaswcodec { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *; + diff --git a/prebuilts/api/29.0/public/swcodec_service_server.te b/prebuilts/api/29.0/public/swcodec_service_server.te deleted file mode 100644 index f20d9904c..000000000 --- a/prebuilts/api/29.0/public/swcodec_service_server.te +++ /dev/null @@ -1,40 +0,0 @@ -# Add hal_codec2_hwservice to mediaswcodec_server -allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find }; -allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add; - -# Allow mediaswcodec_server access to composer sync fences -allow mediaswcodec_server hal_graphics_composer:fd use; - -allow mediaswcodec_server ion_device:chr_file r_file_perms; -allow mediaswcodec_server hal_camera:fd use; - -crash_dump_fallback(mediaswcodec_server) - -# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never -# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge -# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd -# via PDX. Thus, there is no need to use pdx_client macro. -allow mediaswcodec_server bufferhubd:fd use; - -binder_call(mediaswcodec_server, hal_omx_client) -binder_call(hal_omx_client, mediaswcodec_server) - -### -### neverallow rules -### - -# mediaswcodec_server should never execute any executable without a -# domain transition -neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans; - -# The goal of the mediaserver/codec split is to place media processing code into -# restrictive sandboxes with limited responsibilities and thus limited -# permissions. Example: Audioserver is only responsible for controlling audio -# hardware and processing audio content. Cameraserver does the same for camera -# hardware/content. Etc. -# -# Media processing code is inherently risky and thus should have limited -# permissions and be isolated from the rest of the system and network. -# Lengthier explanation here: -# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html -neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 3c5b921a6..23e1fd2b4 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -311,9 +311,10 @@ full_treble_only(` neverallow all_untrusted_apps { halserverdomain -coredomain + -hal_cas_server + -hal_codec2_server -hal_configstore_server -hal_graphics_allocator_server - -hal_cas_server -hal_neuralnetworks_server -hal_omx_server -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone diff --git a/private/incidentd.te b/private/incidentd.te index 6f1095569..7b38911d2 100644 --- a/private/incidentd.te +++ b/private/incidentd.te @@ -90,6 +90,7 @@ allow incidentd { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/private/mediaserver.te b/private/mediaserver.te index b1cf64ad2..635cf4ec9 100644 --- a/private/mediaserver.te +++ b/private/mediaserver.te @@ -6,3 +6,5 @@ tmpfs_domain(mediaserver) # allocate and use graphic buffers hal_client_domain(mediaserver, hal_graphics_allocator) hal_client_domain(mediaserver, hal_omx) +hal_client_domain(mediaserver, hal_codec2) + diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index b1aa77591..123662724 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -15,6 +15,7 @@ read_runtime_log_tags(surfaceflinger) hal_client_domain(surfaceflinger, hal_graphics_allocator) hal_client_domain(surfaceflinger, hal_graphics_composer) typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs; +hal_client_domain(surfaceflinger, hal_codec2) hal_client_domain(surfaceflinger, hal_omx) hal_client_domain(surfaceflinger, hal_configstore) hal_client_domain(surfaceflinger, hal_power) diff --git a/private/system_server.te b/private/system_server.te index 0d02657fc..f551780ce 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched }; allow system_server audioserver:process { getsched setsched }; allow system_server hal_audio:process { getsched setsched }; allow system_server hal_bluetooth:process { getsched setsched }; +allow system_server hal_codec2_server:process { getsched setsched }; allow system_server hal_omx_server:process { getsched setsched }; allow system_server mediaswcodec:process { getsched setsched }; allow system_server cameraserver:process { getsched setsched }; @@ -206,6 +207,7 @@ binder_service(system_server) hal_client_domain(system_server, hal_allocator) hal_client_domain(system_server, hal_authsecret) hal_client_domain(system_server, hal_broadcastradio) +hal_client_domain(system_server, hal_codec2) hal_client_domain(system_server, hal_configstore) hal_client_domain(system_server, hal_contexthub) hal_client_domain(system_server, hal_face) @@ -275,6 +277,7 @@ allow system_server { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/private/technical_debt.cil b/private/technical_debt.cil index d1215fea8..289f69e20 100644 --- a/private/technical_debt.cil +++ b/private/technical_debt.cil @@ -16,6 +16,10 @@ ; Unfortunately, we can't currently express this in module policy language: (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app)))))) +; Apps, except isolated apps, are clients of Codec2-related services +; Unfortunately, we can't currently express this in module policy language: +(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app)))))) + ; Apps, except isolated apps, are clients of Configstore HAL ; Unfortunately, we can't currently express this in module policy language: ; typeattribute { appdomain -isolated_app } hal_configstore_client; diff --git a/public/attributes b/public/attributes index 67979dafb..857efc5de 100644 --- a/public/attributes +++ b/public/attributes @@ -252,6 +252,7 @@ hal_attribute(bufferhub); hal_attribute(broadcastradio); hal_attribute(camera); hal_attribute(cas); +hal_attribute(codec2); hal_attribute(configstore); hal_attribute(confirmationui); hal_attribute(contexthub); @@ -305,7 +306,6 @@ hal_attribute(wifi_supplicant); attribute camera_service_server; attribute display_service_server; -attribute mediaswcodec_server; attribute scheduler_service_server; attribute sensor_service_server; attribute stats_service_server; diff --git a/public/bufferhubd.te b/public/bufferhubd.te index 7acfa6952..37edb5dce 100644 --- a/public/bufferhubd.te +++ b/public/bufferhubd.te @@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms; # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX. # Thus, there is no need to use pdx_client macro. allow bufferhubd hal_omx_server:fd use; + +# Codec2 is similar to OMX +allow bufferhubd hal_codec2_server:fd use; + diff --git a/public/cameraserver.te b/public/cameraserver.te index b2ee301a6..13ef1f738 100644 --- a/public/cameraserver.te +++ b/public/cameraserver.te @@ -62,6 +62,7 @@ allow cameraserver shell:fifo_file { read write }; # Allow to talk with media codec allow cameraserver mediametrics_service:service_manager find; +hal_client_domain(cameraserver, hal_codec2) hal_client_domain(cameraserver, hal_omx) hal_client_domain(cameraserver, hal_allocator) diff --git a/public/domain.te b/public/domain.te index 6493ca4d3..493fe2f26 100644 --- a/public/domain.te +++ b/public/domain.te @@ -1062,8 +1062,8 @@ neverallow { -system_server # Processes that can't exec crash_dump + -hal_codec2_server -hal_omx_server - -mediaswcodec_server -mediaextractor } tombstoned_crash_socket:unix_stream_socket connectto; @@ -1393,7 +1393,7 @@ full_treble_only(` neverallow { domain - -mediaswcodec_server + -hal_codec2_server -hal_omx_server } hal_codec2_hwservice:hwservice_manager add; diff --git a/public/dumpstate.te b/public/dumpstate.te index 2906b5b4d..2e74734ac 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -77,6 +77,7 @@ allow dumpstate { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server hal_drm_server hal_graphics_allocator_server hal_graphics_composer_server diff --git a/public/hal_codec2.te b/public/hal_codec2.te new file mode 100644 index 000000000..60cd3b0c4 --- /dev/null +++ b/public/hal_codec2.te @@ -0,0 +1,22 @@ +binder_call(hal_codec2_client, hal_codec2_server) +binder_call(hal_codec2_server, hal_codec2_client) + +hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice) + +# The following permissions are added to hal_codec2_server because vendor and +# vndk libraries provided for Codec2 implementation need them. + +# Allow server access to composer sync fences +allow hal_codec2_server hal_graphics_composer:fd use; + +# Allow both server and client access to ion +allow hal_codec2_server ion_device:chr_file r_file_perms; + +# Allow server access to camera HAL's fences +allow hal_codec2_server hal_camera:fd use; + +# Receive gralloc buffer FDs from bufferhubd. +allow hal_codec2_server bufferhubd:fd use; + +allow hal_codec2_client ion_device:chr_file r_file_perms; + diff --git a/public/hal_omx.te b/public/hal_omx.te index 656b03ac8..707cae8c7 100644 --- a/public/hal_omx.te +++ b/public/hal_omx.te @@ -1,7 +1,6 @@ # applies all permissions to hal_omx NOT hal_omx_server # since OMX must always be in its own process. - binder_call(hal_omx_server, binderservicedomain) binder_call(hal_omx_server, { appdomain -isolated_app }) @@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use; hal_attribute_hwservice(hal_omx, hal_omx_hwservice) -allow hal_omx_client hal_codec2_hwservice:hwservice_manager find; -allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find }; - allow hal_omx_client hidl_token_hwservice:hwservice_manager find; binder_call(hal_omx_client, hal_omx_server) diff --git a/public/mediaserver.te b/public/mediaserver.te index dbdb05197..70d0a55b2 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find; # for ModDrm/MediaPlayer allow mediaserver mediadrmserver_service:service_manager find; -# For interfacing with OMX HAL +# For hybrid interfaces allow mediaserver hidl_token_hwservice:hwservice_manager find; # /oem access diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te index e0027876d..2acdeeadd 100644 --- a/public/mediaswcodec.te +++ b/public/mediaswcodec.te @@ -1,10 +1,27 @@ type mediaswcodec, domain; type mediaswcodec_exec, system_file_type, exec_type, file_type; -typeattribute mediaswcodec halserverdomain; -typeattribute mediaswcodec mediaswcodec_server; +hal_server_domain(mediaswcodec, hal_codec2) + +# mediaswcodec may use an input surface from a different Codec2 service or an +# OMX service +hal_client_domain(mediaswcodec, hal_codec2) +hal_client_domain(mediaswcodec, hal_omx) hal_client_domain(mediaswcodec, hal_allocator) hal_client_domain(mediaswcodec, hal_graphics_allocator) get_prop(mediaswcodec, device_config_media_native_prop) + +crash_dump_fallback(mediaswcodec) + +# mediaswcodec_server should never execute any executable without a +# domain transition +neverallow mediaswcodec { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *; + diff --git a/public/swcodec_service_server.te b/public/swcodec_service_server.te deleted file mode 100644 index f20d9904c..000000000 --- a/public/swcodec_service_server.te +++ /dev/null @@ -1,40 +0,0 @@ -# Add hal_codec2_hwservice to mediaswcodec_server -allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find }; -allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add; - -# Allow mediaswcodec_server access to composer sync fences -allow mediaswcodec_server hal_graphics_composer:fd use; - -allow mediaswcodec_server ion_device:chr_file r_file_perms; -allow mediaswcodec_server hal_camera:fd use; - -crash_dump_fallback(mediaswcodec_server) - -# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never -# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge -# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd -# via PDX. Thus, there is no need to use pdx_client macro. -allow mediaswcodec_server bufferhubd:fd use; - -binder_call(mediaswcodec_server, hal_omx_client) -binder_call(hal_omx_client, mediaswcodec_server) - -### -### neverallow rules -### - -# mediaswcodec_server should never execute any executable without a -# domain transition -neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans; - -# The goal of the mediaserver/codec split is to place media processing code into -# restrictive sandboxes with limited responsibilities and thus limited -# permissions. Example: Audioserver is only responsible for controlling audio -# hardware and processing audio content. Cameraserver does the same for camera -# hardware/content. Etc. -# -# Media processing code is inherently risky and thus should have limited -# permissions and be isolated from the rest of the system and network. -# Lengthier explanation here: -# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html -neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te index 5bcbe9ac2..f81f39876 100644 --- a/vendor/hal_drm_default.te +++ b/vendor/hal_drm_default.te @@ -4,6 +4,7 @@ hal_server_domain(hal_drm_default, hal_drm) type hal_drm_default_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_drm_default) +allow hal_drm_default hal_codec2_server:fd use; allow hal_drm_default hal_omx_server:fd use; allow hal_drm_default { appdomain -isolated_app }:fd use; diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te index 29e1a9015..40a5489ea 100644 --- a/vendor/mediacodec.te +++ b/vendor/mediacodec.te @@ -15,12 +15,29 @@ not_full_treble(` # can route /dev/binder traffic to /dev/vndbinder vndbinder_use(mediacodec) +hal_server_domain(mediacodec, hal_codec2) hal_server_domain(mediacodec, hal_omx) +# mediacodec may use an input surface from a different Codec2 or OMX service +hal_client_domain(mediacodec, hal_codec2) +hal_client_domain(mediacodec, hal_omx) + hal_client_domain(mediacodec, hal_allocator) hal_client_domain(mediacodec, hal_graphics_allocator) allow mediacodec gpu_device:chr_file rw_file_perms; +allow mediacodec ion_device:chr_file rw_file_perms; allow mediacodec video_device:chr_file rw_file_perms; allow mediacodec video_device:dir search; +crash_dump_fallback(mediacodec) + +# mediacodec should never execute any executable without a domain transition +neverallow mediacodec { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *; +