Commit graph

9 commits

Author SHA1 Message Date
Jason Macnak
4ddaa3f080 Adds GPU sepolicy to support devices with DRM gralloc/rendering
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).

After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.

Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.

Ignore-AOSP-First: must be submitted in internal as a topic first to
                   avoid having duplicate definitions of sysfs_gpu
                   in projects that are only available in internal

Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
2022-04-18 12:54:47 -07:00
Hridya Valsaraju
c68de664f9 Allow codec2 to allocate from system-secure heap
Codec2 clients should have the permission to allocate from the
system-secure DMA-BUF heap for secure playback.

avc: denied { ioctl } for path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649
ioctlcmd=0x4800 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system-secure" dev="tmpfs" ino=649 scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
 avc: denied { open } for comm=4E444B204D65646961436F6465635F
path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649
scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
 avc: denied { ioctl } for comm=4E444B204D65646961436F6465635F
path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649 ioctlcmd=0x4800
scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for name="system-secure" dev="tmpfs" ino=649
scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for path="/dev/dma_heap/system-secure"
dev="tmpfs" ino=649 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for
comm=4E444B204D65646961436F6465635F name="system-secure" dev="tmpfs" ino=649
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1 app=com.android.systemui 0:145):
 avc: denied { open } for
comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system-secure"
dev="tmpfs" ino=649 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { ioctl } for
comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system-secure"
dev="tmpfs" ino=649 ioctlcmd=0x4800 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1

Bug: 172527615
Test: manual
Change-Id: I465e5fcd660bb548e93d683e9d20cace7421ed2d
2021-01-12 12:45:01 -08:00
Hridya Valsaraju
a0e1be0fd3 Add permissions required for new DMA-BUF heap allocator
avc: denied { read } for comm=4E444B204D65646961436F6465635F name="system" dev="tmpfs" ino=379
scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1 avc: denied { open } for comm=4E444B204D65646961436F6465635F
path="/dev/dma_heap/system" dev="tmpfs" ino=379 scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read }
for comm="HwBinder:413_3" name="system" dev="tmpfs" ino=379 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0 avc: denied { ioctl }
for comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system" dev="tmpfs" ino=379
ioctlcmd=0x4800 scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0
tclass=chr_file permissive=1 avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system" dev="tmpfs" ino=379 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0
app=com.android.systemui it(0.0:83): avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system" dev="tmpfs" ino=379 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0
app=com.android.systemui

Test: video playback without denials with DMA-BUF heaps enabled
Bug: 168333162
Change-Id: If936c5561ebf891e4b687a2c18760d16e0d31275
2020-09-16 13:21:50 -07:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Pawin Vongmasa
609c243dd0 Properly define hal_codec2 and related policies
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 131677974
Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
2019-05-23 03:53:47 -07:00
Marco Nelissen
ba258f0ec0 Remove unneeded permissions
Media component update service is removed, so selinux
permissions for it are no longer needed.

Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95
2019-05-09 22:19:33 +00:00
Dongwon Kang
523c746859 SEPolicy updates for adding native flag namespace(media).
Test: add sepolicy, build, check GetServerConfigurableFlag function
Bug: 123658514
Change-Id: I798b0ef901068c53070e768305acd38118a7e886
2019-01-31 10:06:32 -08:00
Chong Zhang
52fb3edbb6 add media.codec.update service
Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.

Bug: 111407413
Bug: 117290290

Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4
2018-10-15 21:06:53 +00:00
Chong Zhang
bdbfff1b00 add mediaswcodec service
Set up a new service for sw media codec services.

Bug: 111407413

Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e
2018-10-11 15:10:17 -07:00