From a01bc1d315713b65dfc61251878ea51357d31836 Mon Sep 17 00:00:00 2001 From: Ernie Hsu Date: Tue, 27 Aug 2024 03:32:27 +0000 Subject: [PATCH] mediacodec: fix vpu device sepolicy for video playback 08-27 11:30:17.500 734 734 I binder:734_4: type=1400 audit(0.0:1288): avc: denied { read write } for name="vpu" dev="tmpfs" ino=1585 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1 08-27 11:30:17.500 734 734 I binder:734_4: type=1400 audit(0.0:1289): avc: denied { open } for path="/dev/vpu" dev="tmpfs" ino=1585 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1 08-27 11:30:17.500 734 734 I binder:734_4: type=1400 audit(0.0:1290): avc: denied { ioctl } for path="/dev/vpu" dev="tmpfs" ino=1585 ioctlcmd=0x4200 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1 08-27 11:30:17.500 734 734 I binder:734_4: type=1400 audit(0.0:1291): avc: denied { map } for path="/dev/vpu" dev="tmpfs" ino=1585 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1 08-27 11:30:18.944 734 734 I FetchThread: type=1400 audit(0.0:1292): avc: denied { ioctl } for path="/dev/vpu" dev="tmpfs" ino=1585 ioctlcmd=0x4207 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1 Bug: 353638738 Flag: EXEMPT bugfix Test: video playback Change-Id: I8ad4507693a4a0fbbd2709bd79d25b1ef4109904 --- mediacodec/vpu/sepolicy/mediacodec_google.te | 1 + 1 file changed, 1 insertion(+) diff --git a/mediacodec/vpu/sepolicy/mediacodec_google.te b/mediacodec/vpu/sepolicy/mediacodec_google.te index 2c5d1cb..e0f5d7f 100644 --- a/mediacodec/vpu/sepolicy/mediacodec_google.te +++ b/mediacodec/vpu/sepolicy/mediacodec_google.te @@ -8,6 +8,7 @@ hal_server_domain(mediacodec_google, hal_codec2) hal_client_domain(mediacodec_google, hal_graphics_allocator) allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_google video_device:chr_file { read write open ioctl map }; # mediacodec_google should never execute any executable without a domain transition neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;