Evolution-X-Tensor/device_google_gs-common
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

mediacodec: fix permission for vendor_media_data and ecoservice

Browse source 
vendor_media_data:
08-27 12:07:01.540   747   747 I /vendor/bin/hw/google.hardware.media.c2@3.0-service: type=1400 audit(0.0:1785): avc:  denied  { search } for  comm=436F646563322E30204C6F6F706572 name="media" dev="dm-57" ino=399 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:vendor_media_data_file:s0 tclass=dir permissive=1
08-27 12:07:01.540   747   747 I /vendor/bin/hw/google.hardware.media.c2@3.0-service: type=1400 audit(0.0:1786): avc:  denied  { write } for  comm=436F646563322E30204C6F6F706572 name="media" dev="dm-57" ino=399 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:vendor_media_data_file:s0 tclass=dir permissive=1
08-27 12:07:01.540   747   747 I /vendor/bin/hw/google.hardware.media.c2@3.0-service: type=1400 audit(0.0:1787): avc:  denied  { add_name } for  comm=436F646563322E30204C6F6F706572 name="input_7335.bin" scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:vendor_media_data_file:s0 tclass=dir permissive=1
08-27 12:07:01.540   747   747 I /vendor/bin/hw/google.hardware.media.c2@3.0-service: type=1400 audit(0.0:1788): avc:  denied  { create } for  comm=436F646563322E30204C6F6F706572 name="input_7335.bin" scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:vendor_media_data_file:s0 tclass=file permissive=1
08-27 12:07:01.540   747   747 I /vendor/bin/hw/google.hardware.media.c2@3.0-service: type=1400 audit(0.0:1789): avc:  denied  { append open } for  comm=436F646563322E30204C6F6F706572 path="/data/vendor/media/input_7335.bin" dev="dm-57" ino=26749 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:vendor_media_data_file:s0 tclass=file permissive=1

ecoservice:
08-27 13:07:44.686   358   358 E SELinux : avc:  denied  { find } for pid=743 uid=1046 name=media.ecoservice scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:eco_service:s0 tclass=service_manager permissive=1

Flag: EXEMPT bugfix
Test: video playback and screen record
Bug: 361093311
Change-Id: I37d5081061bad2917b24e320f4e4a9c8116db6fa
This commit is contained in:
Ernie Hsu 2024-08-27 04:11:51 +00:00
parent e341a7fc8f
commit 13883d9a54
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
mediacodec/vpu/sepolicy/mediacodec_google.te
View file

@ -7,6 +7,8 @@ hal_server_domain(mediacodec_google, hal_codec2)
hal_client_domain(mediacodec_google, hal_graphics_allocator) hal_client_domain(mediacodec_google, hal_graphics_allocator)
add_service(mediacodec_google, eco_service)
allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec_google video_device:chr_file { read write open ioctl map }; allow mediacodec_google video_device:chr_file { read write open ioctl map };
@ -19,3 +21,8 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; neverallow mediacodec_google domain:{ udp_socket rawip_socket } *;
neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;
userdebug_or_eng(`
allow mediacodec_google vendor_media_data_file:dir rw_dir_perms;
allow mediacodec_google vendor_media_data_file:file create_file_perms;
')