From ee3a8ea798f1675a45cff8b7337a885d6fcbac3d Mon Sep 17 00:00:00 2001
From: Hangyu Kuang <hkuang@google.com>
Date: Wed, 27 Nov 2019 18:10:01 -0800
Subject: [PATCH] MediaTranscodingService: Add sepolicy for
 MediaTranscodingService.

Bug:145233472
Test: Build and flash the phone.
"adb shell dumpsys -l | grep media" shows media.transcoding service.

Change-Id: I48a42e7b595754989c92a8469eb91360ab6db7c6
---
 private/compat/29.0/29.0.ignore.cil |  4 ++++
 private/file_contexts               |  1 +
 private/mediaserver.te              |  1 +
 private/mediatranscoding.te         |  3 +++
 private/service_contexts            |  1 +
 public/mediatranscoding.te          | 26 ++++++++++++++++++++++++++
 public/service.te                   |  1 +
 7 files changed, 37 insertions(+)
 create mode 100644 private/mediatranscoding.te
 create mode 100644 public/mediatranscoding.te

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 88e6efd9a..383ff3c65 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -26,6 +26,10 @@
     iorap_prefetcherd_data_file
     iorap_prefetcherd_exec
     iorap_prefetcherd_tmpfs
+    mediatranscoding_service
+    mediatranscoding
+    mediatranscoding_exec
+    mediatranscoding_tmpfs
     linker_prop
     mock_ota_prop
     ota_metadata_file
diff --git a/private/file_contexts b/private/file_contexts
index 2ec5b2f0f..69b6c58e0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -239,6 +239,7 @@
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
 /system/bin/mediaswcodec	u:object_r:mediaswcodec_exec:s0
+/system/bin/mediatranscoding	u:object_r:mediatranscoding_exec:s0
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/otapreopt_chroot   u:object_r:otapreopt_chroot_exec:s0
diff --git a/private/mediaserver.te b/private/mediaserver.te
index d74ab9573..195c3a50d 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -10,3 +10,4 @@ hal_client_domain(mediaserver, hal_drm)
 hal_client_domain(mediaserver, hal_omx)
 hal_client_domain(mediaserver, hal_codec2)
 
+allow mediaserver mediatranscoding_service:service_manager find;
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
new file mode 100644
index 000000000..e0ad84c66
--- /dev/null
+++ b/private/mediatranscoding.te
@@ -0,0 +1,3 @@
+typeattribute mediatranscoding coredomain;
+
+init_daemon_domain(mediatranscoding)
diff --git a/private/service_contexts b/private/service_contexts
index fa52a05a2..1902a4886 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -118,6 +118,7 @@ media.log                                 u:object_r:audioserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
 media.metrics                             u:object_r:mediametrics_service:s0
 media.extractor                           u:object_r:mediaextractor_service:s0
+media.transcoding                         u:object_r:mediatranscoding_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
 media.drm                                 u:object_r:mediadrmserver_service:s0
diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te
new file mode 100644
index 000000000..386535bb2
--- /dev/null
+++ b/public/mediatranscoding.te
@@ -0,0 +1,26 @@
+# mediatranscoding - daemon for transcoding video and image.
+type mediatranscoding, domain;
+type mediatranscoding_exec, system_file_type, exec_type, file_type;
+
+binder_use(mediatranscoding)
+binder_service(mediatranscoding)
+
+add_service(mediatranscoding, mediatranscoding_service)
+
+allow mediatranscoding system_server:fd use;
+
+# mediatranscoding should never execute any executable without a
+# domain transition
+neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/service.te b/public/service.te
index f746727db..31575c575 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,6 +21,7 @@ type mediaserver_service,       service_manager_type;
 type mediametrics_service,      service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediadrmserver_service,    service_manager_type;
+type mediatranscoding_service,  app_api_service, service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;