From 9901ff7c4f6f71cdb1bcfb50435b6036caf66b28 Mon Sep 17 00:00:00 2001
From: Mathias Agopian <mathias@google.com>
Date: Wed, 29 Mar 2017 19:08:34 -0700
Subject: [PATCH] update sepolicy for gralloc HAL

the list to update was determined by looking
at who currently has access to surfaceflinger
for ipc and FD use.

Test: try some media stuff
Bug: 36333314
Change-Id: I474d0c44f8cb3868aad7a64e5a3640cf212d264d
---
 private/mediadrmserver.te  | 5 +++++
 private/mediaserver.te     | 3 +++
 private/technical_debt.cil | 5 +++++
 public/mediacodec.te       | 4 +++-
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index def87599f..4e511a819 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -1,3 +1,8 @@
 typeattribute mediadrmserver coredomain;
 
 init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 4b510a54a..08c3f9b2c 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,3 +1,6 @@
 typeattribute mediaserver coredomain;
 
 init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 2d9ec8bca..abc21a758 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -11,3 +11,8 @@
 ;     typeattribute hal_allocator_client halclientdomain;
 (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
 (typeattributeset halclientdomain (hal_allocator_client))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))
diff --git a/public/mediacodec.te b/public/mediacodec.te
index ecbe2802c..721f624b5 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -22,13 +22,15 @@ allow mediacodec gpu_device:chr_file rw_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;
 allow mediacodec video_device:dir search;
 allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec hal_graphics_allocator:fd use;
 allow mediacodec hal_camera:fd use;
 
 crash_dump_fallback(mediacodec)
 
 hal_client_domain(mediacodec, hal_allocator)
 
+# allocate and use graphic buffers
+hal_client_domain(mediacodec, hal_graphics_allocator)
+
 # Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
 # directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
 # between those two: it talks to mediacodec via Binder and talks to bufferhubd
-- 
GitLab