Remove mediacodec from binder violators.
The new binder_call() lines had to be added because this change removes mediacodec from binderservicedomain (on full-treble), hence domains that could previously reach mediacodec with binder_call(domain, binderservicedomain) now need explicit calls instead. Test: Youtube, Netflix, Maps, Chrome, Music Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829
This commit is contained in:
Martijn Coenen
parent
e506cda312
commit
fc80f48082
4 changed files with 11 additions and 6 deletions
|
|
@ -273,6 +273,9 @@ get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
|
|||
# Allow app to access the graphic allocator HAL
|
||||
binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
|
||||
|
||||
# Allow app access to mediacodec (IOMX HAL)
|
||||
binder_call({ appdomain -isolated_app }, mediacodec)
|
||||
|
||||
# App can access configstore HAL which is read only
|
||||
binder_call({ appdomain -isolated_app }, hal_configstore)
|
||||
|
||||
|
|
|
|||
|
|
@ -199,6 +199,8 @@ hal_client_domain(system_server, hal_wifi)
|
|||
|
||||
hal_client_domain(system_server, hal_wifi_supplicant)
|
||||
|
||||
binder_call(system_server, mediacodec)
|
||||
|
||||
# Talk with graphics composer fences
|
||||
allow system_server hal_graphics_composer:fd use;
|
||||
|
||||
|
|
|
|||
|
|
@ -15,19 +15,17 @@ full_treble_only(`
|
|||
not_full_treble(`
|
||||
# on legacy devices, continue to allow /dev/binder traffic
|
||||
binder_use(mediacodec)
|
||||
binder_service(mediacodec)
|
||||
add_service(mediacodec, mediacodec_service)
|
||||
allow mediacodec mediametrics_service:service_manager find;
|
||||
allow mediacodec surfaceflinger_service:service_manager find;
|
||||
')
|
||||
binder_call(mediacodec, binderservicedomain)
|
||||
binder_call(mediacodec, appdomain)
|
||||
binder_service(mediacodec)
|
||||
|
||||
# Allow mediacodec access to composer sync fences
|
||||
allow mediacodec hal_graphics_composer:fd use;
|
||||
|
||||
# TODO(b/36604251): Remove this once OMX HAL stops using Binder
|
||||
typeattribute mediacodec binder_in_vendor_violators;
|
||||
add_service(mediacodec, mediacodec_service)
|
||||
allow mediacodec mediametrics_service:service_manager find;
|
||||
allow mediacodec surfaceflinger_service:service_manager find;
|
||||
allow mediacodec gpu_device:chr_file rw_file_perms;
|
||||
allow mediacodec video_device:chr_file rw_file_perms;
|
||||
allow mediacodec video_device:dir search;
|
||||
|
|
|
|||
|
|
@ -132,6 +132,8 @@ allow mediaserver system_server:fd use;
|
|||
|
||||
hal_client_domain(mediaserver, hal_allocator)
|
||||
|
||||
binder_call(mediaserver, mediacodec)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
Loading…
Reference in a new issue