Merge "Sepolicy for OMX hal." am: 5b4f15e1 am: 6f443b87 am: d1eb4564

am: d85cd20d Change-Id: I3dbea2d195d5dd8fa27e6c702c5772b2d5b0825b

Merge "Sepolicy for OMX hal." am: 5b4f15e1 am: 6f443b87 am: d1eb4564
8c985ed5 · Pawin Vongmasa · android-build-merger · 56d45bf4 · d85cd20d · 8c985ed5
Commit 8c985ed5 authored 8 years ago by Pawin Vongmasa Committed by android-build-merger 8 years ago
--- a/private/app.te
+++ b/private/app.te
@@ -158,6 +158,11 @@ binder_call(appdomain, appdomain)
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)

+# hidl access for mediacodec
+# TODO(b/34454312): only allow getting and talking to mediacodec service
+hwbinder_use(appdomain)
+hwallocator_use(appdomain)
+
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -179,6 +179,7 @@ binder_service(system_server)

 # Perform HwBinder IPC.
 hwbinder_use(system_server)
+hwallocator_use(system_server)
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)

--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -18,6 +18,11 @@ allow mediacodec video_device:dir search;
 allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec hal_graphics_allocator:fd use;

+# hidl access
+hwbinder_use(mediacodec)
+hwallocator_use(mediacodec)
+allow mediacodec system_file:dir { open read };
+
 ###
 ### neverallow rules
 ###

--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -132,6 +132,10 @@ allow mediaserver hal_graphics_allocator:fd use;

 allow mediaserver system_server:fd use;

+# hidl access
+hwbinder_use(mediaserver)
+hwallocator_use(mediaserver)
+
 ###
 ### neverallow rules
 ###