Merge "Put in sepolicies for Codec2.0 services" into pi-dev

private/app_neverallows.te

@@ -175,10 +175,12 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
 #   by surfaceflinger Binder service, which apps are permitted to access
 # - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
 #   Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
 neverallow all_untrusted_apps {
   hwservice_manager_type
   -same_process_hwservice
   -coredomain_hwservice
+  -hal_codec2_hwservice
   -hal_configstore_ISurfaceFlingerConfigs
   -hal_graphics_allocator_hwservice
   -hal_omx_hwservice

private/compat/26.0/26.0.ignore.cil

@@ -43,6 +43,7 @@
     hal_authsecret_hwservice
     hal_broadcastradio_hwservice
     hal_cas_hwservice
+    hal_codec2_hwservice
     hal_confirmationui_hwservice
     hal_lowpan_hwservice
     hal_neuralnetworks_hwservice

private/compat/27.0/27.0.ignore.cil

@@ -37,6 +37,7 @@
     fingerprint_vendor_data_file
     fs_bpf
     hal_authsecret_hwservice
+    hal_codec2_hwservice
     hal_confirmationui_hwservice
     hal_lowpan_hwservice
     hal_secure_element_hwservice

private/mediaserver.te

@@ -7,4 +7,5 @@ hal_client_domain(mediaserver, hal_graphics_allocator)
 
 # TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
 # of OMX HAL.
+allow mediaserver hal_codec2_hwservice:hwservice_manager find;
 allow mediaserver hal_omx_hwservice:hwservice_manager find;

private/system_server.te

@@ -195,6 +195,7 @@ hal_client_domain(system_server, hal_light)
 hal_client_domain(system_server, hal_memtrack)
 hal_client_domain(system_server, hal_neuralnetworks)
 hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_codec2_hwservice:hwservice_manager find;
 allow system_server hal_omx_hwservice:hwservice_manager find;
 allow system_server hidl_token_hwservice:hwservice_manager find;
 hal_client_domain(system_server, hal_power)

public/app.te

@@ -219,6 +219,7 @@ binder_call(appdomain, ephemeral_app)
 # TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
 # as OMX HAL
 hwbinder_use({ appdomain  -isolated_app })
+allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
 allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
 allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
 

public/hwservice.te

@@ -8,6 +8,7 @@ type hal_bluetooth_hwservice, hwservice_manager_type;
 type hal_bootctl_hwservice, hwservice_manager_type;
 type hal_broadcastradio_hwservice, hwservice_manager_type;
 type hal_camera_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
 type hal_confirmationui_hwservice, hwservice_manager_type;
 type hal_contexthub_hwservice, hwservice_manager_type;

public/mediacodec.te

@@ -33,6 +33,7 @@ allow mediacodec hal_camera:fd use;
 
 crash_dump_fallback(mediacodec)
 
+add_hwservice(mediacodec, hal_codec2_hwservice)
 add_hwservice(mediacodec, hal_omx_hwservice)
 
 hal_client_domain(mediacodec, hal_allocator)