From b52121a259a1cc8bd652233abefb5d6d770b2568 Mon Sep 17 00:00:00 2001
From: wenchangliu <wenchangliu@google.com>
Date: Thu, 11 Mar 2021 22:34:13 +0800
Subject: [PATCH 1/2] Add sepolicy for MFC device

- Add sysfs_video type for mfc device
- Allow mediacode to access sysfs_video

avc: denied { read } for name="name" dev="sysfs" ino=62278 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video7/name" \
dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video7/name" \
dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { read } for name="name" dev="sysfs" ino=62230 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video6/name" \
dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video6/name" \
dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

Bug: 172173484
Test: video playback / camera recording with enforcing mode
Change-Id: Id7f43fe11c9ed089067f43a50d7f765df873d6c6
---
 tracking_denials/mediacodec.te          | 7 -------
 whitechapel/vendor/google/file.te       | 3 +++
 whitechapel/vendor/google/file_contexts | 4 ++++
 whitechapel/vendor/google/mediacodec.te | 1 +
 4 files changed, 8 insertions(+), 7 deletions(-)
 delete mode 100644 tracking_denials/mediacodec.te

diff --git a/tracking_denials/mediacodec.te b/tracking_denials/mediacodec.te
deleted file mode 100644
index d4a74b8a..00000000
--- a/tracking_denials/mediacodec.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# b/172173484
-dontaudit mediacodec sysfs:file { getattr };
-dontaudit mediacodec sysfs:file { open };
-dontaudit mediacodec sysfs:file { read };
-userdebug_or_eng(`
-  permissive mediacodec;
-')
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 5776174b..eafc7a48 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -177,3 +177,6 @@ type sysfs_memory, sysfs_type, fs_type;
 
 # bcmdhd (Broadcom FullMAC wireless cards support)
 type sysfs_bcmdhd, sysfs_type, fs_type;
+
+# Video
+type sysfs_video, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 68bcf67f..8a7d5906 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -401,3 +401,7 @@
 # video system DMA-BUF heap
 /dev/dma_heap/video_system                                               u:object_r:dmabuf_system_heap_device:s0
 /dev/dma_heap/video_system-uncached                                      u:object_r:dmabuf_system_heap_device:s0
+
+# Video sysfs files
+/sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
+/sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
index d3b108f6..2264eac9 100644
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -4,3 +4,4 @@ userdebug_or_eng(`
 
 add_service(mediacodec, eco_service)
 allow mediacodec hal_camera_default:binder call;
+allow mediacodec sysfs_video:file r_file_perms;

From f98706e87b021353b38bbeebbd63edd431e4c568 Mon Sep 17 00:00:00 2001
From: wenchangliu <wenchangliu@google.com>
Date: Thu, 11 Mar 2021 22:52:45 +0800
Subject: [PATCH 2/2] Add sepolicy for BigOcean device

add /dev/bigocean to video_device

avc: denied { read write } for name="bigocean" dev="tmpfs" ino=629 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { open } for path="/dev/bigocean" dev="tmpfs" ino=629 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/bigocean" dev="tmpfs" ino=629 \
ioctlcmd=0x4202 scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { ioctl } for comm=436F646563322E30204C6F6F706572 path="/dev/bigocean" \
dev="tmpfs" ino=629 ioctlcmd=0x4202 scontext=u:r:mediacodec:s0 \
tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

Bug: 172173484
Test: Play AV1 clips in enforcing mode
Change-Id: Ie0ed96d7bf4324bd38a9c42500f4f747f092bfd9
---
 whitechapel/vendor/google/file_contexts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 8a7d5906..da3ee7b0 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -405,3 +405,6 @@
 # Video sysfs files
 /sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
 /sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
+
+# BigOcean
+/dev/bigocean                                                                  u:object_r:video_device:s0