From fb862c088822b51580d59de9b9c180e4347dd5c9 Mon Sep 17 00:00:00 2001
From: Hridya Valsaraju <hridya@google.com>
Date: Tue, 23 Mar 2021 12:43:37 -0700
Subject: [PATCH] Allow Exoplayer access to the vstream-secure heap for secure
 playback

Fixes the following denials:

avc: denied { read } for name="vstream-secure" dev="tmpfs"
ino=736 scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:dmabuf_heap_device:s0 tclass=chr_file permissive=0
app=com.google.android.exoplayer.demo
avc: denied { read } for name="vstream-secure" dev="tmpfs" ino=736
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:dmabuf_heap_device:s0
tclass=chr_file permissive=0 app=com.google.android.exoplayer.demo
avc: denied { read } for name="vstream-secure" dev="tmpfs" ino=736
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:dmabuf_heap_device:s0
tclass=chr_file permissive=0 app=com.google.android.exoplayer.demo

Bug: 178865267
Test: no more denials
Change-Id: I6612bd56c49558b13e2ae72cfbf3552715729e7a
Signed-off-by: Hridya Valsaraju <hridya@google.com>
---
 whitechapel/vendor/google/file_contexts        | 2 ++
 whitechapel/vendor/google/untrusted_app_all.te | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index f7d448fd..9f1940db 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -412,6 +412,8 @@
 /dev/dma_heap/video_system                                               u:object_r:dmabuf_system_heap_device:s0
 /dev/dma_heap/video_system-uncached                                      u:object_r:dmabuf_system_heap_device:s0
 
+/dev/dma_heap/vstream-secure                                             u:object_r:dmabuf_system_secure_heap_device:s0
+
 # Video sysfs files
 /sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
 /sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index 8e79515f..ae7386fc 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -4,3 +4,7 @@ allow untrusted_app_all edgetpu_service:service_manager find;
 # Allows applications to access the EdgeTPU device, except open, which is guarded
 # by the EdgeTPU service.
 allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
+# for secure video playback
+allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;