From fded60a79e98aaa2b2c00e5cd1002dece652f38a Mon Sep 17 00:00:00 2001
From: Ruofei Ma <ruofeim@google.com>
Date: Fri, 12 Nov 2021 22:47:56 +0000
Subject: [PATCH] Add SELinux policy for mediacodec_google

mediacodec_google represents google av1 decoder
hal service.

Bug: 205657135

Signed-off-by: Ruofei Ma <ruofeim@google.com>
Change-Id: Ied61107d1991a22b24170b055bf3613165cbe050
---
 tracking_denials/mediacodec_google.te |  7 -------
 whitechapel_pro/mediacodec_google.te  | 26 +++++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 8 deletions(-)
 delete mode 100644 tracking_denials/mediacodec_google.te

diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te
deleted file mode 100644
index ba517318..00000000
--- a/tracking_denials/mediacodec_google.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# b/205657135
-dontaudit mediacodec_google dmabuf_system_heap_device:chr_file { getattr };
-dontaudit mediacodec_google vndbinder_device:chr_file { ioctl };
-dontaudit mediacodec_google vndbinder_device:chr_file { map };
-dontaudit mediacodec_google vndbinder_device:chr_file { open };
-dontaudit mediacodec_google vndbinder_device:chr_file { read };
-dontaudit mediacodec_google vndbinder_device:chr_file { write };
diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te
index 8ea19668..c750ea75 100644
--- a/whitechapel_pro/mediacodec_google.te
+++ b/whitechapel_pro/mediacodec_google.te
@@ -1,5 +1,29 @@
 type mediacodec_google, domain;
-type mediacodec_google_exec, vendor_file_type, exec_type, file_type;
+type mediacodec_google_exec, exec_type, vendor_file_type, file_type;
+
 init_daemon_domain(mediacodec_google)
 
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec_google)
+
 hal_server_domain(mediacodec_google, hal_codec2)
+
+# mediacodec_google may use an input surface from a different Codec2 service
+hal_client_domain(mediacodec_google, hal_codec2)
+
+hal_client_domain(mediacodec_google, hal_graphics_allocator)
+
+allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediacodec_google video_device:chr_file rw_file_perms;
+
+crash_dump_fallback(mediacodec_google)
+
+# mediacodec_google should never execute any executable without a domain transition
+neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec_google domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;
\ No newline at end of file