From 60d07215ea2aacb004a95dea4a34893b0856ff4a Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 1 Mar 2023 08:30:20 +0800 Subject: [PATCH 1/2] move gxp dump to gs-common Bug: 240530709 Test: adb bugreport;unzip *zip;tar -xvf dumpstate_board.bin And found gxp content Change-Id: I27b54b283609cf574796d706da0450802dc601a3 --- gxp/Android.bp | 19 +++++++++++++++++++ gxp/dump.mk | 4 ++++ gxp/dump_gxp.cpp | 36 ++++++++++++++++++++++++++++++++++++ gxp/sepolicy/dump_gxp.te | 11 +++++++++++ gxp/sepolicy/file_contexts | 2 ++ 5 files changed, 72 insertions(+) create mode 100644 gxp/Android.bp create mode 100644 gxp/dump.mk create mode 100644 gxp/dump_gxp.cpp create mode 100644 gxp/sepolicy/dump_gxp.te create mode 100644 gxp/sepolicy/file_contexts diff --git a/gxp/Android.bp b/gxp/Android.bp new file mode 100644 index 0000000..f3683fc --- /dev/null +++ b/gxp/Android.bp @@ -0,0 +1,19 @@ +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +cc_binary { + name: "dump_gxp", + srcs: ["dump_gxp.cpp"], + cflags: [ + "-Wall", + "-Wextra", + "-Werror", + ], + shared_libs: [ + "libbase", + "libdump", + ], + vendor: true, + relative_install_path: "dump", +} diff --git a/gxp/dump.mk b/gxp/dump.mk new file mode 100644 index 0000000..c1f6300 --- /dev/null +++ b/gxp/dump.mk @@ -0,0 +1,4 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gxp/sepolicy/ + +PRODUCT_PACKAGES_DEBUG += dump_gxp + diff --git a/gxp/dump_gxp.cpp b/gxp/dump_gxp.cpp new file mode 100644 index 0000000..80730fa --- /dev/null +++ b/gxp/dump_gxp.cpp @@ -0,0 +1,36 @@ +/* + * Copyright 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include +#include +#include + +#define maxGxpDebugDumps 8 + +int main() { + if(::android::base::GetBoolProperty("vendor.gxp.attach_to_bugreport", false)) { + std::string outputDir = concatenatePath(BUGREPORT_PACKING_DIR, "gxp_ssrdump"); + printf("Creating %s", outputDir.c_str()); + if (mkdir(outputDir.c_str(), 0777) == -1) { + printf("Unable to create folder: %s\n", outputDir.c_str()); + return 0; + } + + dumpLogs("/data/vendor/ssrdump/coredump", outputDir.c_str(), maxGxpDebugDumps, "coredump_gxp_"); + dumpLogs("/data/vendor/ssrdump", outputDir.c_str(), maxGxpDebugDumps, "crashinfo_gxp_"); + } + return 0; +} + diff --git a/gxp/sepolicy/dump_gxp.te b/gxp/sepolicy/dump_gxp.te new file mode 100644 index 0000000..61a0482 --- /dev/null +++ b/gxp/sepolicy/dump_gxp.te @@ -0,0 +1,11 @@ +pixel_bugreport(dump_gxp) + +userdebug_or_eng(` + allow dump_gxp radio_vendor_data_file:dir create_dir_perms; + allow dump_gxp radio_vendor_data_file:file create_file_perms; + allow dump_gxp sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow dump_gxp sscoredump_vendor_data_coredump_file:file r_file_perms; + allow dump_gxp sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; + allow dump_gxp sscoredump_vendor_data_crashinfo_file:file r_file_perms; +') + diff --git a/gxp/sepolicy/file_contexts b/gxp/sepolicy/file_contexts new file mode 100644 index 0000000..80420f4 --- /dev/null +++ b/gxp/sepolicy/file_contexts @@ -0,0 +1,2 @@ +/vendor/bin/dump/dump_gxp u:object_r:dump_gxp_exec:s0 + From 1669f9bb604c16ffe5a81f143061d68471f2e0b9 Mon Sep 17 00:00:00 2001 From: Ernie Hsu Date: Thu, 23 Feb 2023 09:14:29 +0000 Subject: [PATCH 2/2] move mediacodec_samsung build config and sepolicy to gs-common 1. mediacodec_samsung.te is copied from ag/20742869 2. add common settings which will be used by differnt vendor Bug: 263444717 Test: build pass, camera record, youtube Change-Id: I62a4c33ea59d1b3f70990f221b11fe9d905e15f1 --- mediacodec/common/mediacodec_common.mk | 4 ++ mediacodec/common/sepolicy/file.te | 1 + mediacodec/common/sepolicy/file_contexts | 1 + mediacodec/common/sepolicy/vndservice.te | 1 + .../common/sepolicy/vndservice_contexts | 1 + mediacodec/samsung/mediacodec_samsung.mk | 21 +++++++++++ mediacodec/samsung/sepolicy/file.te | 1 + mediacodec/samsung/sepolicy/file_contexts | 2 + mediacodec/samsung/sepolicy/genfs_contexts | 1 + .../samsung/sepolicy/mediacodec_samsung.te | 37 +++++++++++++++++++ 10 files changed, 70 insertions(+) create mode 100644 mediacodec/common/mediacodec_common.mk create mode 100644 mediacodec/common/sepolicy/file.te create mode 100644 mediacodec/common/sepolicy/file_contexts create mode 100644 mediacodec/common/sepolicy/vndservice.te create mode 100644 mediacodec/common/sepolicy/vndservice_contexts create mode 100644 mediacodec/samsung/mediacodec_samsung.mk create mode 100644 mediacodec/samsung/sepolicy/file.te create mode 100644 mediacodec/samsung/sepolicy/file_contexts create mode 100644 mediacodec/samsung/sepolicy/genfs_contexts create mode 100644 mediacodec/samsung/sepolicy/mediacodec_samsung.te diff --git a/mediacodec/common/mediacodec_common.mk b/mediacodec/common/mediacodec_common.mk new file mode 100644 index 0000000..7f57785 --- /dev/null +++ b/mediacodec/common/mediacodec_common.mk @@ -0,0 +1,4 @@ +# mediacodec_common for all build configs and sepolicy shared among different Codec HAL +# example 1: shared among multiple HALs on the same device +# example 2: shared among different Hals on different devices +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/common/sepolicy diff --git a/mediacodec/common/sepolicy/file.te b/mediacodec/common/sepolicy/file.te new file mode 100644 index 0000000..921cc69 --- /dev/null +++ b/mediacodec/common/sepolicy/file.te @@ -0,0 +1 @@ +type vendor_media_data_file, file_type, data_file_type; diff --git a/mediacodec/common/sepolicy/file_contexts b/mediacodec/common/sepolicy/file_contexts new file mode 100644 index 0000000..e92274f --- /dev/null +++ b/mediacodec/common/sepolicy/file_contexts @@ -0,0 +1 @@ +/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 diff --git a/mediacodec/common/sepolicy/vndservice.te b/mediacodec/common/sepolicy/vndservice.te new file mode 100644 index 0000000..0784fe3 --- /dev/null +++ b/mediacodec/common/sepolicy/vndservice.te @@ -0,0 +1 @@ +type eco_service, vndservice_manager_type; diff --git a/mediacodec/common/sepolicy/vndservice_contexts b/mediacodec/common/sepolicy/vndservice_contexts new file mode 100644 index 0000000..87800a3 --- /dev/null +++ b/mediacodec/common/sepolicy/vndservice_contexts @@ -0,0 +1 @@ +media.ecoservice u:object_r:eco_service:s0 diff --git a/mediacodec/samsung/mediacodec_samsung.mk b/mediacodec/samsung/mediacodec_samsung.mk new file mode 100644 index 0000000..96ffac4 --- /dev/null +++ b/mediacodec/samsung/mediacodec_samsung.mk @@ -0,0 +1,21 @@ +PRODUCT_SOONG_NAMESPACES += vendor/samsung_slsi/codec2 + +PRODUCT_PACKAGES += \ + samsung.hardware.media.c2@1.2-service \ + codec2.vendor.base.policy \ + codec2.vendor.ext.policy \ + libExynosC2ComponentStore \ + libExynosC2H264Dec \ + libExynosC2H264Enc \ + libExynosC2HevcDec \ + libExynosC2HevcEnc \ + libExynosC2Mpeg4Dec \ + libExynosC2Mpeg4Enc \ + libExynosC2H263Dec \ + libExynosC2H263Enc \ + libExynosC2Vp8Dec \ + libExynosC2Vp8Enc \ + libExynosC2Vp9Dec \ + libExynosC2Vp9Enc + +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/samsung/sepolicy diff --git a/mediacodec/samsung/sepolicy/file.te b/mediacodec/samsung/sepolicy/file.te new file mode 100644 index 0000000..99c3b66 --- /dev/null +++ b/mediacodec/samsung/sepolicy/file.te @@ -0,0 +1 @@ +type sysfs_mfc, sysfs_type, fs_type; diff --git a/mediacodec/samsung/sepolicy/file_contexts b/mediacodec/samsung/sepolicy/file_contexts new file mode 100644 index 0000000..6f4f29b --- /dev/null +++ b/mediacodec/samsung/sepolicy/file_contexts @@ -0,0 +1,2 @@ +# MFC +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 diff --git a/mediacodec/samsung/sepolicy/genfs_contexts b/mediacodec/samsung/sepolicy/genfs_contexts new file mode 100644 index 0000000..d44d760 --- /dev/null +++ b/mediacodec/samsung/sepolicy/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 diff --git a/mediacodec/samsung/sepolicy/mediacodec_samsung.te b/mediacodec/samsung/sepolicy/mediacodec_samsung.te new file mode 100644 index 0000000..efc83d7 --- /dev/null +++ b/mediacodec/samsung/sepolicy/mediacodec_samsung.te @@ -0,0 +1,37 @@ +type mediacodec_samsung, domain; +type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(mediacodec_samsung) + +hal_server_domain(mediacodec_samsung, hal_codec2) +add_service(mediacodec_samsung, eco_service) + +vndbinder_use(mediacodec_samsung) + +allow mediacodec_samsung video_device:chr_file rw_file_perms; +allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_samsung gpu_device:chr_file rw_file_perms; + +allow mediacodec_samsung sysfs_mfc:file r_file_perms; +allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; + +# can use graphics allocator +hal_client_domain(mediacodec_samsung, hal_graphics_allocator) + +binder_call(mediacodec_samsung, hal_camera_default) + +crash_dump_fallback(mediacodec_samsung) + +# mediacodec_samsung should never execute any executable without a domain transition +neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *; +neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *; + +userdebug_or_eng(` + allow mediacodec_samsung vendor_media_data_file:dir rw_dir_perms; + allow mediacodec_samsung vendor_media_data_file:file create_file_perms; +')