Merge "Allow Exoplayer access to the vstream-secure heap for secure playback" into sc-dev am: d70813575b

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/13974361 Change-Id: I5b7c199261a4f46f3ab6ca6caa019a41889cf7cc
2021-03-24 01:23:22 +00:00 · 2021-03-24 01:23:22 +00:00 · 13b3e58059
commit 13b3e58059
parent 697b71b400 d70813575b
2 changed files with 6 additions and 0 deletions
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@ -412,6 +412,8 @@
 /dev/dma_heap/video_system                                               u:object_r:dmabuf_system_heap_device:s0
 /dev/dma_heap/video_system-uncached                                      u:object_r:dmabuf_system_heap_device:s0

+/dev/dma_heap/vstream-secure                                             u:object_r:dmabuf_system_secure_heap_device:s0
+
 # Video sysfs files
 /sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
 /sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@ -4,3 +4,7 @@ allow untrusted_app_all edgetpu_service:service_manager find;
 # Allows applications to access the EdgeTPU device, except open, which is guarded
 # by the EdgeTPU service.
 allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
+# for secure video playback
+allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;