From 5602dfde45c2d68a5eb4594aa65c353c1db54f84 Mon Sep 17 00:00:00 2001
From: Charlie Chen <yuchungchen@google.com>
Date: Thu, 1 Apr 2021 10:01:14 +0800
Subject: [PATCH] SELinux error coming from mediacodec when using GCA and
 secure playback

Fixes the following denials:

avc: denied { read } for name="name" dev="sysfs" ino=63727 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

avc: denied { read } for name="name" dev="sysfs" ino=63743 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

avc: denied { read } for name="name" dev="sysfs" ino=64010 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

avc: denied { search } for name="video6" dev="sysfs" ino=64587 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_video:s0 \
tclass=dir permissive=0

Bug: 182525521
Bug: 184145552
Test: GCA recording works properly, \
      Netflix and ExoPlayer can play videos
Change-Id: Ib7220feedc5031fb0e5c05a2b487da2ddf8b98cd
---
 whitechapel/vendor/google/file_contexts  | 4 ----
 whitechapel/vendor/google/genfs_contexts | 3 +++
 whitechapel/vendor/google/mediacodec.te  | 1 +
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 99983880..8d550239 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -429,10 +429,6 @@
 
 /dev/dma_heap/vstream-secure                                             u:object_r:dmabuf_system_secure_heap_device:s0
 
-# Video sysfs files
-/sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
-/sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
-
 # BigOcean
 /dev/bigocean                                                                  u:object_r:video_device:s0
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 60b9cb2c..69e9dd2c 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -243,3 +243,6 @@ genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count
 genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count                       u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count                         u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count                                 u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+
+# mediacodec
+genfscon sysfs /devices/platform/mfc/video4linux/video                                                  u:object_r:sysfs_video:s0
diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
index caaf5749..ed7c1adf 100644
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -5,4 +5,5 @@ userdebug_or_eng(`
 add_service(mediacodec, eco_service)
 allow mediacodec hal_camera_default:binder call;
 allow mediacodec sysfs_video:file r_file_perms;
+allow mediacodec sysfs_video:dir r_dir_perms;
 allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms;