Mark video secure devices as default dmabuf heaps

Mali driver (and codec HAL as well) require direct access to video secure dmabuf devices. Mali driver being an SP-HAL cannot explicitly write blanket rules for all the scontext. So, we piggyback on dmabuf_system_secure_heap_device to allow all scontext to be able to use these device nodes. This is just as secure as dmabuf_system_secure_heap_device in that case. There is no additional security impact. An app can still use gralloc to allocate buffers from these heaps and disallowing access to these heaps to the intended users. Bug: 278513588 Test: Trusting result of ag/22743596 (no zumapro device yet) Change-Id: I2fd77e6694cdd4d1e51c9f01f4ae2b9f9670cea0
2023-04-19 11:50:47 -07:00 · 2023-04-19 11:50:47 -07:00 · 129741a269
commit 129741a269
parent 4ce6753500
3 changed files with 4 additions and 4 deletions
--- a/vendor/device.te
+++ b/vendor/device.te
@ -12,7 +12,7 @@ type uci_device, dev_type;
 # Dmabuf heaps
 type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
 type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
-type video_secure_heap_device, dmabuf_heap_device_type, dev_type;
+type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type;

 # SecureElement SPI device
 type st54spi_device, dev_type;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -160,7 +160,7 @@
 /dev/dma_heap/famodel-secure                                                u:object_r:faceauth_heap_device:s0
 /dev/dma_heap/faprev-secure                                                 u:object_r:faceauth_heap_device:s0
 /dev/dma_heap/farawimg-secure                                               u:object_r:faceauth_heap_device:s0
-/dev/dma_heap/vframe-secure                                                 u:object_r:video_secure_heap_device:s0
-/dev/dma_heap/vscaler-secure                                                u:object_r:video_secure_heap_device:s0
+/dev/dma_heap/vframe-secure                                                 u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/vscaler-secure                                                u:object_r:vscaler_secure_heap_device:s0
 /dev/dma_heap/vstream-secure                                                u:object_r:dmabuf_system_secure_heap_device:s0
 /dev/uci                                                                    u:object_r:uci_device:s0
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@ -1,4 +1,4 @@
 allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms;
 allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms;
 allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms;
-allow hal_graphics_allocator_default video_secure_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default vscaler_secure_heap_device:chr_file r_file_perms;