From 77432c5015668029ec4e5b69d7076ba1c899d448 Mon Sep 17 00:00:00 2001 From: Sean Callanan Date: Fri, 2 Apr 2021 20:42:01 -0700 Subject: [PATCH] whitechapel: make vframe-secure a system heap The GPU driver uses vframe-secure for secure allocations, so the corresponding DMA heap file should be visible to all processes so use the dmabuf_system_secure_heap_device type instead. In order for this type to be used, we need to ensure that the HAL Allocator has access to it, so update hal_graphics_allocator_default.te Finally, since there are no longer any buffer types associated with the vframe_heap_device type, remove it. Bug: 182090311 Test: run cts-dev -m CtsDeqpTestCases --module-arg CtsDeqpTestCases:include-filter:dEQP-VK.protected_memory.stack.stacksize_64 and ensure secure allocations succeed Test: Play DRM-protected video in ExoPlayer and ensure videos render correctly via MFC->DPU. Change-Id: Id341e52322a438974d4634a4274a7be2ddb4c9fe --- whitechapel/vendor/google/device.te | 3 --- whitechapel/vendor/google/file_contexts | 2 +- whitechapel/vendor/google/hal_graphics_allocator_default.te | 2 +- whitechapel/vendor/google/mediacodec.te | 1 - 4 files changed, 2 insertions(+), 6 deletions(-) diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index 5c6a2d88..63bd3191 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -45,9 +45,6 @@ type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; #faceauth DMA-BUF heaps type faceauth_heap_device, dmabuf_heap_device_type, dev_type; -#vframe-secure DMA-BUF heap -type vframe_heap_device, dmabuf_heap_device_type, dev_type; - #vscaler-secure DMA-BUF heap type vscaler_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 5c4b5209..f334be5f 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -440,7 +440,7 @@ /dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 # vframe-secure DMA-BUF heap -/dev/dma_heap/vframe-secure u:object_r:vframe_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 # vscaler-secure DMA-BUF heap /dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 diff --git a/whitechapel/vendor/google/hal_graphics_allocator_default.te b/whitechapel/vendor/google/hal_graphics_allocator_default.te index 63a7dcfb..9791dae6 100644 --- a/whitechapel/vendor/google/hal_graphics_allocator_default.te +++ b/whitechapel/vendor/google/hal_graphics_allocator_default.te @@ -1,4 +1,4 @@ allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default vframe_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te index 07a0a5b4..ed7c1adf 100644 --- a/whitechapel/vendor/google/mediacodec.te +++ b/whitechapel/vendor/google/mediacodec.te @@ -7,4 +7,3 @@ allow mediacodec hal_camera_default:binder call; allow mediacodec sysfs_video:file r_file_perms; allow mediacodec sysfs_video:dir r_dir_perms; allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms; -allow mediacodec vframe_heap_device:chr_file r_file_perms;