Add sepolicy for MFC device

- Add sysfs_video type for mfc device - Allow mediacode to access sysfs_video avc: denied { read } for name="name" dev="sysfs" ino=62278 \ scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \ tclass=file permissive=1 avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video7/name" \ dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \ tclass=file permissive=1 avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video7/name" \ dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \ tclass=file permissive=1 avc: denied { read } for name="name" dev="sysfs" ino=62230 \ scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \ tclass=file permissive=1 avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video6/name" \ dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \ tclass=file permissive=1 avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video6/name" \ dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \ tclass=file permissive=1 Bug: 172173484 Test: video playback / camera recording with enforcing mode Change-Id: Id7f43fe11c9ed089067f43a50d7f765df873d6c6
2021-03-11 22:34:13 +08:00 · 2021-03-11 22:34:13 +08:00 · b52121a259
commit b52121a259
parent 6657774b4c
4 changed files with 8 additions and 7 deletions
--- a/tracking_denials/mediacodec.te
+++ b/tracking_denials/mediacodec.te
@ -1,7 +0,0 @@
-# b/172173484
-dontaudit mediacodec sysfs:file { getattr };
-dontaudit mediacodec sysfs:file { open };
-dontaudit mediacodec sysfs:file { read };
-userdebug_or_eng(`
-  permissive mediacodec;
-')
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@ -177,3 +177,6 @@ type sysfs_memory, sysfs_type, fs_type;

 # bcmdhd (Broadcom FullMAC wireless cards support)
 type sysfs_bcmdhd, sysfs_type, fs_type;
+
+# Video
+type sysfs_video, sysfs_type, fs_type;
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@ -401,3 +401,7 @@
 # video system DMA-BUF heap
 /dev/dma_heap/video_system                                               u:object_r:dmabuf_system_heap_device:s0
 /dev/dma_heap/video_system-uncached                                      u:object_r:dmabuf_system_heap_device:s0
+
+# Video sysfs files
+/sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
+/sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@ -4,3 +4,4 @@ userdebug_or_eng(`

 add_service(mediacodec, eco_service)
 allow mediacodec hal_camera_default:binder call;
+allow mediacodec sysfs_video:file r_file_perms;