From ded9266dd4f15f016ccacd191e8fc6fe90084d3f Mon Sep 17 00:00:00 2001 From: Ankit Goyal Date: Wed, 19 Apr 2023 11:34:27 -0700 Subject: [PATCH] Mark video secure devices as default dmabuf heaps Mali driver (and codec HAL as well) require direct access to video secure dmabuf devices. Mali driver being an SP-HAL cannot explicitly write blanket rules for all the scontext. So, we piggyback on dmabuf_system_secure_heap_device to allow all scontext to be able to use these device nodes. This is just as secure as dmabuf_system_secure_heap_device in that case. There is no additional security impact. An app can still use gralloc to allocate buffers from these heaps and disallowing access to these heaps to the intended users. Fix: 278823239 Fix: 278513588 Fix: 275646321 Test: dEQP-VK.memory.allocation Change-Id: I01a2730fc222efe94d4e48e7ee4c317aa65f0064 --- vendor/device.te | 3 ++- vendor/file_contexts | 6 +++--- vendor/hal_graphics_allocator_default.te | 3 ++- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/vendor/device.te b/vendor/device.te index 7acd0031..695c54fe 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -12,7 +12,8 @@ type uci_device, dev_type; # Dmabuf heaps type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; -type video_secure_heap_device, dmabuf_heap_device_type, dev_type; +type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type; +type framebuffer_secure_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 3c5729f4..4b216387 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -164,8 +164,8 @@ /dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/framebuffer-secure u:object_r:video_secure_heap_device:s0 -/dev/dma_heap/vframe-secure u:object_r:video_secure_heap_device:s0 -/dev/dma_heap/vscaler-secure u:object_r:video_secure_heap_device:s0 +/dev/dma_heap/framebuffer-secure u:object_r:framebuffer_secure_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/vscaler-secure u:object_r:vscaler_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/uci u:object_r:uci_device:s0 diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te index e322c3a0..628329b5 100644 --- a/vendor/hal_graphics_allocator_default.te +++ b/vendor/hal_graphics_allocator_default.te @@ -1,4 +1,5 @@ allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default video_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default vscaler_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default framebuffer_secure_heap_device:chr_file r_file_perms;