From 1669f9bb604c16ffe5a81f143061d68471f2e0b9 Mon Sep 17 00:00:00 2001 From: Ernie Hsu Date: Thu, 23 Feb 2023 09:14:29 +0000 Subject: [PATCH] move mediacodec_samsung build config and sepolicy to gs-common 1. mediacodec_samsung.te is copied from ag/20742869 2. add common settings which will be used by differnt vendor Bug: 263444717 Test: build pass, camera record, youtube Change-Id: I62a4c33ea59d1b3f70990f221b11fe9d905e15f1 --- mediacodec/common/mediacodec_common.mk | 4 ++ mediacodec/common/sepolicy/file.te | 1 + mediacodec/common/sepolicy/file_contexts | 1 + mediacodec/common/sepolicy/vndservice.te | 1 + .../common/sepolicy/vndservice_contexts | 1 + mediacodec/samsung/mediacodec_samsung.mk | 21 +++++++++++ mediacodec/samsung/sepolicy/file.te | 1 + mediacodec/samsung/sepolicy/file_contexts | 2 + mediacodec/samsung/sepolicy/genfs_contexts | 1 + .../samsung/sepolicy/mediacodec_samsung.te | 37 +++++++++++++++++++ 10 files changed, 70 insertions(+) create mode 100644 mediacodec/common/mediacodec_common.mk create mode 100644 mediacodec/common/sepolicy/file.te create mode 100644 mediacodec/common/sepolicy/file_contexts create mode 100644 mediacodec/common/sepolicy/vndservice.te create mode 100644 mediacodec/common/sepolicy/vndservice_contexts create mode 100644 mediacodec/samsung/mediacodec_samsung.mk create mode 100644 mediacodec/samsung/sepolicy/file.te create mode 100644 mediacodec/samsung/sepolicy/file_contexts create mode 100644 mediacodec/samsung/sepolicy/genfs_contexts create mode 100644 mediacodec/samsung/sepolicy/mediacodec_samsung.te diff --git a/mediacodec/common/mediacodec_common.mk b/mediacodec/common/mediacodec_common.mk new file mode 100644 index 0000000..7f57785 --- /dev/null +++ b/mediacodec/common/mediacodec_common.mk @@ -0,0 +1,4 @@ +# mediacodec_common for all build configs and sepolicy shared among different Codec HAL +# example 1: shared among multiple HALs on the same device +# example 2: shared among different Hals on different devices +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/common/sepolicy diff --git a/mediacodec/common/sepolicy/file.te b/mediacodec/common/sepolicy/file.te new file mode 100644 index 0000000..921cc69 --- /dev/null +++ b/mediacodec/common/sepolicy/file.te @@ -0,0 +1 @@ +type vendor_media_data_file, file_type, data_file_type; diff --git a/mediacodec/common/sepolicy/file_contexts b/mediacodec/common/sepolicy/file_contexts new file mode 100644 index 0000000..e92274f --- /dev/null +++ b/mediacodec/common/sepolicy/file_contexts @@ -0,0 +1 @@ +/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 diff --git a/mediacodec/common/sepolicy/vndservice.te b/mediacodec/common/sepolicy/vndservice.te new file mode 100644 index 0000000..0784fe3 --- /dev/null +++ b/mediacodec/common/sepolicy/vndservice.te @@ -0,0 +1 @@ +type eco_service, vndservice_manager_type; diff --git a/mediacodec/common/sepolicy/vndservice_contexts b/mediacodec/common/sepolicy/vndservice_contexts new file mode 100644 index 0000000..87800a3 --- /dev/null +++ b/mediacodec/common/sepolicy/vndservice_contexts @@ -0,0 +1 @@ +media.ecoservice u:object_r:eco_service:s0 diff --git a/mediacodec/samsung/mediacodec_samsung.mk b/mediacodec/samsung/mediacodec_samsung.mk new file mode 100644 index 0000000..96ffac4 --- /dev/null +++ b/mediacodec/samsung/mediacodec_samsung.mk @@ -0,0 +1,21 @@ +PRODUCT_SOONG_NAMESPACES += vendor/samsung_slsi/codec2 + +PRODUCT_PACKAGES += \ + samsung.hardware.media.c2@1.2-service \ + codec2.vendor.base.policy \ + codec2.vendor.ext.policy \ + libExynosC2ComponentStore \ + libExynosC2H264Dec \ + libExynosC2H264Enc \ + libExynosC2HevcDec \ + libExynosC2HevcEnc \ + libExynosC2Mpeg4Dec \ + libExynosC2Mpeg4Enc \ + libExynosC2H263Dec \ + libExynosC2H263Enc \ + libExynosC2Vp8Dec \ + libExynosC2Vp8Enc \ + libExynosC2Vp9Dec \ + libExynosC2Vp9Enc + +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/samsung/sepolicy diff --git a/mediacodec/samsung/sepolicy/file.te b/mediacodec/samsung/sepolicy/file.te new file mode 100644 index 0000000..99c3b66 --- /dev/null +++ b/mediacodec/samsung/sepolicy/file.te @@ -0,0 +1 @@ +type sysfs_mfc, sysfs_type, fs_type; diff --git a/mediacodec/samsung/sepolicy/file_contexts b/mediacodec/samsung/sepolicy/file_contexts new file mode 100644 index 0000000..6f4f29b --- /dev/null +++ b/mediacodec/samsung/sepolicy/file_contexts @@ -0,0 +1,2 @@ +# MFC +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 diff --git a/mediacodec/samsung/sepolicy/genfs_contexts b/mediacodec/samsung/sepolicy/genfs_contexts new file mode 100644 index 0000000..d44d760 --- /dev/null +++ b/mediacodec/samsung/sepolicy/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 diff --git a/mediacodec/samsung/sepolicy/mediacodec_samsung.te b/mediacodec/samsung/sepolicy/mediacodec_samsung.te new file mode 100644 index 0000000..efc83d7 --- /dev/null +++ b/mediacodec/samsung/sepolicy/mediacodec_samsung.te @@ -0,0 +1,37 @@ +type mediacodec_samsung, domain; +type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(mediacodec_samsung) + +hal_server_domain(mediacodec_samsung, hal_codec2) +add_service(mediacodec_samsung, eco_service) + +vndbinder_use(mediacodec_samsung) + +allow mediacodec_samsung video_device:chr_file rw_file_perms; +allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_samsung gpu_device:chr_file rw_file_perms; + +allow mediacodec_samsung sysfs_mfc:file r_file_perms; +allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; + +# can use graphics allocator +hal_client_domain(mediacodec_samsung, hal_graphics_allocator) + +binder_call(mediacodec_samsung, hal_camera_default) + +crash_dump_fallback(mediacodec_samsung) + +# mediacodec_samsung should never execute any executable without a domain transition +neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *; +neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *; + +userdebug_or_eng(` + allow mediacodec_samsung vendor_media_data_file:dir rw_dir_perms; + allow mediacodec_samsung vendor_media_data_file:file create_file_perms; +')