From 5559d21aa550ee03075b958fd65add628f31fcef Mon Sep 17 00:00:00 2001
From: Pawin Vongmasa <pawin@google.com>
Date: Tue, 24 Jan 2017 02:45:16 -0800
Subject: [PATCH] Sepolicy for OMX hal.

Bug: 31399200
Test: Compiles
Change-Id: Ifb347a985df5deb85426a54c435c4a9c0248cb57
---
 private/app.te           | 5 +++++
 private/system_server.te | 1 +
 public/mediacodec.te     | 5 +++++
 public/mediaserver.te    | 4 ++++
 4 files changed, 15 insertions(+)

diff --git a/private/app.te b/private/app.te
index e0fb6f14d..b009d9869 100644
--- a/private/app.te
+++ b/private/app.te
@@ -158,6 +158,11 @@ binder_call(appdomain, appdomain)
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
 
+# hidl access for mediacodec
+# TODO(b/34454312): only allow getting and talking to mediacodec service
+hwbinder_use(appdomain)
+hwallocator_use(appdomain)
+
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
diff --git a/private/system_server.te b/private/system_server.te
index 30fe3e2ba..cba1ab3d9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -179,6 +179,7 @@ binder_service(system_server)
 
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
+hwallocator_use(system_server)
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 9f07d8564..6b4d67718 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -18,6 +18,11 @@ allow mediacodec video_device:dir search;
 allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec hal_graphics_allocator:fd use;
 
+# hidl access
+hwbinder_use(mediacodec)
+hwallocator_use(mediacodec)
+allow mediacodec system_file:dir { open read };
+
 ###
 ### neverallow rules
 ###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 16b801328..fa472886a 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -132,6 +132,10 @@ allow mediaserver hal_graphics_allocator:fd use;
 
 allow mediaserver system_server:fd use;
 
+# hidl access
+hwbinder_use(mediaserver)
+hwallocator_use(mediaserver)
+
 ###
 ### neverallow rules
 ###
-- 
GitLab