Merge "close stream after use" into udc-dev
diff --git a/mediacodec/common/mediacodec_common.mk b/mediacodec/common/mediacodec_common.mk
new file mode 100644
index 0000000..7f57785
--- /dev/null
+++ b/mediacodec/common/mediacodec_common.mk
@@ -0,0 +1,4 @@
+# mediacodec_common for all build configs and sepolicy shared among different Codec HAL
+# example 1: shared among multiple HALs on the same device
+# example 2: shared among different Hals on different devices
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/common/sepolicy
diff --git a/mediacodec/common/sepolicy/file.te b/mediacodec/common/sepolicy/file.te
new file mode 100644
index 0000000..921cc69
--- /dev/null
+++ b/mediacodec/common/sepolicy/file.te
@@ -0,0 +1 @@
+type vendor_media_data_file, file_type, data_file_type;
diff --git a/mediacodec/common/sepolicy/file_contexts b/mediacodec/common/sepolicy/file_contexts
new file mode 100644
index 0000000..e92274f
--- /dev/null
+++ b/mediacodec/common/sepolicy/file_contexts
@@ -0,0 +1 @@
+/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0
diff --git a/mediacodec/common/sepolicy/vndservice.te b/mediacodec/common/sepolicy/vndservice.te
new file mode 100644
index 0000000..0784fe3
--- /dev/null
+++ b/mediacodec/common/sepolicy/vndservice.te
@@ -0,0 +1 @@
+type eco_service, vndservice_manager_type;
diff --git a/mediacodec/common/sepolicy/vndservice_contexts b/mediacodec/common/sepolicy/vndservice_contexts
new file mode 100644
index 0000000..87800a3
--- /dev/null
+++ b/mediacodec/common/sepolicy/vndservice_contexts
@@ -0,0 +1 @@
+media.ecoservice u:object_r:eco_service:s0
diff --git a/mediacodec/samsung/mediacodec_samsung.mk b/mediacodec/samsung/mediacodec_samsung.mk
new file mode 100644
index 0000000..96ffac4
--- /dev/null
+++ b/mediacodec/samsung/mediacodec_samsung.mk
@@ -0,0 +1,21 @@
+PRODUCT_SOONG_NAMESPACES += vendor/samsung_slsi/codec2
+
+PRODUCT_PACKAGES += \
+ samsung.hardware.media.c2@1.2-service \
+ codec2.vendor.base.policy \
+ codec2.vendor.ext.policy \
+ libExynosC2ComponentStore \
+ libExynosC2H264Dec \
+ libExynosC2H264Enc \
+ libExynosC2HevcDec \
+ libExynosC2HevcEnc \
+ libExynosC2Mpeg4Dec \
+ libExynosC2Mpeg4Enc \
+ libExynosC2H263Dec \
+ libExynosC2H263Enc \
+ libExynosC2Vp8Dec \
+ libExynosC2Vp8Enc \
+ libExynosC2Vp9Dec \
+ libExynosC2Vp9Enc
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/samsung/sepolicy
diff --git a/mediacodec/samsung/sepolicy/file.te b/mediacodec/samsung/sepolicy/file.te
new file mode 100644
index 0000000..99c3b66
--- /dev/null
+++ b/mediacodec/samsung/sepolicy/file.te
@@ -0,0 +1 @@
+type sysfs_mfc, sysfs_type, fs_type;
diff --git a/mediacodec/samsung/sepolicy/file_contexts b/mediacodec/samsung/sepolicy/file_contexts
new file mode 100644
index 0000000..6f4f29b
--- /dev/null
+++ b/mediacodec/samsung/sepolicy/file_contexts
@@ -0,0 +1,2 @@
+# MFC
+/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0
diff --git a/mediacodec/samsung/sepolicy/genfs_contexts b/mediacodec/samsung/sepolicy/genfs_contexts
new file mode 100644
index 0000000..d44d760
--- /dev/null
+++ b/mediacodec/samsung/sepolicy/genfs_contexts
@@ -0,0 +1 @@
+genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0
diff --git a/mediacodec/samsung/sepolicy/mediacodec_samsung.te b/mediacodec/samsung/sepolicy/mediacodec_samsung.te
new file mode 100644
index 0000000..efc83d7
--- /dev/null
+++ b/mediacodec/samsung/sepolicy/mediacodec_samsung.te
@@ -0,0 +1,37 @@
+type mediacodec_samsung, domain;
+type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(mediacodec_samsung)
+
+hal_server_domain(mediacodec_samsung, hal_codec2)
+add_service(mediacodec_samsung, eco_service)
+
+vndbinder_use(mediacodec_samsung)
+
+allow mediacodec_samsung video_device:chr_file rw_file_perms;
+allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediacodec_samsung gpu_device:chr_file rw_file_perms;
+
+allow mediacodec_samsung sysfs_mfc:file r_file_perms;
+allow mediacodec_samsung sysfs_mfc:dir r_dir_perms;
+
+# can use graphics allocator
+hal_client_domain(mediacodec_samsung, hal_graphics_allocator)
+
+binder_call(mediacodec_samsung, hal_camera_default)
+
+crash_dump_fallback(mediacodec_samsung)
+
+# mediacodec_samsung should never execute any executable without a domain transition
+neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *;
+
+userdebug_or_eng(`
+ allow mediacodec_samsung vendor_media_data_file:dir rw_dir_perms;
+ allow mediacodec_samsung vendor_media_data_file:file create_file_perms;
+')