Snap for 12116631 from 826a8afe4c to 24Q4-release

Change-Id: Iee62a9b321686c5b56576a9237d7c8d6e11ffca0
2024-07-20 01:02:01 +00:00 · 2024-07-20 01:02:01 +00:00 · 821bc67975
commit 821bc67975
parent 340698deeb 826a8afe4c
4 changed files with 48 additions and 0 deletions
--- a/edgetpu/sepolicy/edgetpu_tachyon_service.te
+++ b/edgetpu/sepolicy/edgetpu_tachyon_service.te
@ -63,3 +63,8 @@ allow edgetpu_tachyon_server privapp_data_file:file { map read};
 userdebug_or_eng(`
    allow edgetpu_tachyon_server shell_data_file:file { map read};
 ')
 # For shell level testing
 userdebug_or_eng(`
    binder_call(edgetpu_tachyon_server, shell);
 ')
--- a/mediacodec/vpu/mediacodec_google.mk
+++ b/mediacodec/vpu/mediacodec_google.mk
@ -0,0 +1,21 @@
 PRODUCT_SOONG_NAMESPACES += hardware/google/video/cnm
 PRODUCT_PACKAGES += \
 	google.hardware.media.c2@3.0-service \
 	libgc2_store \
 	libgc2_base \
 	libgc2_vdi_vpu \
 	libgc2_log \
 	libgc2_utils \
 	libgc2_av1_dec \
 	libgc2_vp9_dec \
 	libgc2_hevc_dec \
 	libgc2_avc_dec \
 	libgc2_av1_enc \
 	libgc2_hevc_enc \
 	libgc2_avc_enc \
 	vpu_firmware
 $(call soong_config_set,cnm,soc,$(TARGET_BOARD_PLATFORM))
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/vpu/sepolicy
--- a/mediacodec/vpu/sepolicy/file_contexts
+++ b/mediacodec/vpu/sepolicy/file_contexts
@ -0,0 +1,2 @@
 /vendor/bin/hw/google\.hardware\.media\.c2@3\.0-service                     u:object_r:mediacodec_google_exec:s0
 /dev/vpu                                                                    u:object_r:video_device:s0
--- a/mediacodec/vpu/sepolicy/mediacodec_google.te
+++ b/mediacodec/vpu/sepolicy/mediacodec_google.te
@ -0,0 +1,20 @@
 type mediacodec_google, domain;
 type mediacodec_google_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(mediacodec_google)
 hal_server_domain(mediacodec_google, hal_codec2)
 hal_client_domain(mediacodec_google, hal_graphics_allocator)
 allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
 # mediacodec_google should never execute any executable without a domain transition
 neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;
 # Media processing code is inherently risky and thus should have limited
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediacodec_google domain:{ udp_socket rawip_socket } *;
 neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;
		`@ -0,0 +1,2 @@`
							`/vendor/bin/hw/google\.hardware\.media\.c2@3\.0-service u:object_r:mediacodec_google_exec:s0`
							`/dev/vpu u:object_r:video_device:s0`