From 4bb1061c2db60be99ce9e691fc01a8b04ce379a4 Mon Sep 17 00:00:00 2001
From: wenchangliu <wenchangliu@google.com>
Date: Tue, 23 Nov 2021 22:34:55 +0800
Subject: [PATCH] Add SELinux policy for mediacodec_samsung

mediacodec_samsung is separated from mediacodec for
mfc encoder/decoder. Add assumption from mediacodec.te
as well.

Bug: 204718809
Test: boot to home
Change-Id: I67ce385903cf5abd2ba9dc62b7229320b3f7daa9
---
 whitechapel_pro/mediacodec_samsung.te | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te
index 253a8615..446693e6 100644
--- a/whitechapel_pro/mediacodec_samsung.te
+++ b/whitechapel_pro/mediacodec_samsung.te
@@ -15,3 +15,13 @@ allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms;
 hal_client_domain(mediacodec_samsung, hal_graphics_allocator)
 
 crash_dump_fallback(mediacodec_samsung)
+
+# mediacodec_samsung should never execute any executable without a domain transition
+neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *;