whitechapel: make vframe-secure a system heap

The GPU driver uses vframe-secure for secure allocations, so the corresponding DMA heap file should be visible to all processes so use the dmabuf_system_secure_heap_device type instead. In order for this type to be used, we need to ensure that the HAL Allocator has access to it, so update hal_graphics_allocator_default.te Finally, since there are no longer any buffer types associated with the vframe_heap_device type, remove it. Bug: 182090311 Test: run cts-dev -m CtsDeqpTestCases --module-arg CtsDeqpTestCases:include-filter:dEQP-VK.protected_memory.stack.stacksize_64 and ensure secure allocations succeed Test: Play DRM-protected video in ExoPlayer and ensure videos render correctly via MFC->DPU. Change-Id: Id341e52322a438974d4634a4274a7be2ddb4c9fe
2021-04-02 20:42:01 -07:00 · 2021-04-02 20:42:01 -07:00 · 77432c5015
commit 77432c5015
parent b078284e5d
4 changed files with 2 additions and 6 deletions
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@ -45,9 +45,6 @@ type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
 #faceauth DMA-BUF heaps
 type faceauth_heap_device, dmabuf_heap_device_type, dev_type;

-#vframe-secure DMA-BUF heap
-type vframe_heap_device, dmabuf_heap_device_type, dev_type;
-
 #vscaler-secure DMA-BUF heap
 type vscaler_heap_device, dmabuf_heap_device_type, dev_type;

--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@ -440,7 +440,7 @@
 /dev/dma_heap/farawimg-secure                                                  u:object_r:faceauth_heap_device:s0

 # vframe-secure DMA-BUF heap
-/dev/dma_heap/vframe-secure                                                    u:object_r:vframe_heap_device:s0
+/dev/dma_heap/vframe-secure                                                    u:object_r:dmabuf_system_secure_heap_device:s0

 # vscaler-secure DMA-BUF heap
 /dev/dma_heap/vscaler-secure                                                   u:object_r:vscaler_heap_device:s0
--- a/whitechapel/vendor/google/hal_graphics_allocator_default.te
+++ b/whitechapel/vendor/google/hal_graphics_allocator_default.te
@ -1,4 +1,4 @@
 allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms;
 allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms;
-allow hal_graphics_allocator_default vframe_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms;
 allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms;
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@ -7,4 +7,3 @@ allow mediacodec hal_camera_default:binder call;
 allow mediacodec sysfs_video:file r_file_perms;
 allow mediacodec sysfs_video:dir r_dir_perms;
 allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
-allow mediacodec vframe_heap_device:chr_file r_file_perms;