mediacodec: fix vpu device sepolicy for video playback

08-27 11:30:17.500   734   734 I binder:734_4: type=1400 audit(0.0:1288): avc:  denied  { read write } for  name="vpu" dev="tmpfs" ino=1585 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1
08-27 11:30:17.500   734   734 I binder:734_4: type=1400 audit(0.0:1289): avc:  denied  { open } for  path="/dev/vpu" dev="tmpfs" ino=1585 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1
08-27 11:30:17.500   734   734 I binder:734_4: type=1400 audit(0.0:1290): avc:  denied  { ioctl } for  path="/dev/vpu" dev="tmpfs" ino=1585 ioctlcmd=0x4200 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1
08-27 11:30:17.500   734   734 I binder:734_4: type=1400 audit(0.0:1291): avc:  denied  { map } for  path="/dev/vpu" dev="tmpfs" ino=1585 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1
08-27 11:30:18.944   734   734 I FetchThread: type=1400 audit(0.0:1292): avc:  denied  { ioctl } for  path="/dev/vpu" dev="tmpfs" ino=1585 ioctlcmd=0x4207 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1

Bug: 353638738
Flag: EXEMPT bugfix
Test: video playback
Change-Id: I8ad4507693a4a0fbbd2709bd79d25b1ef4109904
This commit is contained in:
Ernie Hsu 2024-08-27 03:32:27 +00:00
parent e4506b0159
commit a01bc1d315

View file

@ -8,6 +8,7 @@ hal_server_domain(mediacodec_google, hal_codec2)
hal_client_domain(mediacodec_google, hal_graphics_allocator)
allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec_google video_device:chr_file { read write open ioctl map };
# mediacodec_google should never execute any executable without a domain transition
neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;