Merge "Adjust name of vendor_camera_image_processing_hal_service" into main
diff --git a/edgetpu/sepolicy/edgetpu_tachyon_service.te b/edgetpu/sepolicy/edgetpu_tachyon_service.te
index 877a180..80db366 100644
--- a/edgetpu/sepolicy/edgetpu_tachyon_service.te
+++ b/edgetpu/sepolicy/edgetpu_tachyon_service.te
@@ -63,3 +63,8 @@
userdebug_or_eng(`
allow edgetpu_tachyon_server shell_data_file:file { map read};
')
+
+# For shell level testing
+userdebug_or_eng(`
+ binder_call(edgetpu_tachyon_server, shell);
+')
diff --git a/mediacodec/vpu/mediacodec_google.mk b/mediacodec/vpu/mediacodec_google.mk
new file mode 100644
index 0000000..8c1e974
--- /dev/null
+++ b/mediacodec/vpu/mediacodec_google.mk
@@ -0,0 +1,21 @@
+PRODUCT_SOONG_NAMESPACES += hardware/google/video/cnm
+
+PRODUCT_PACKAGES += \
+ google.hardware.media.c2@3.0-service \
+ libgc2_store \
+ libgc2_base \
+ libgc2_vdi_vpu \
+ libgc2_log \
+ libgc2_utils \
+ libgc2_av1_dec \
+ libgc2_vp9_dec \
+ libgc2_hevc_dec \
+ libgc2_avc_dec \
+ libgc2_av1_enc \
+ libgc2_hevc_enc \
+ libgc2_avc_enc \
+ vpu_firmware
+
+$(call soong_config_set,cnm,soc,$(TARGET_BOARD_PLATFORM))
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/vpu/sepolicy
diff --git a/mediacodec/vpu/sepolicy/file_contexts b/mediacodec/vpu/sepolicy/file_contexts
new file mode 100644
index 0000000..138e20e
--- /dev/null
+++ b/mediacodec/vpu/sepolicy/file_contexts
@@ -0,0 +1,2 @@
+/vendor/bin/hw/google\.hardware\.media\.c2@3\.0-service u:object_r:mediacodec_google_exec:s0
+/dev/vpu u:object_r:video_device:s0
diff --git a/mediacodec/vpu/sepolicy/mediacodec_google.te b/mediacodec/vpu/sepolicy/mediacodec_google.te
new file mode 100644
index 0000000..2c5d1cb
--- /dev/null
+++ b/mediacodec/vpu/sepolicy/mediacodec_google.te
@@ -0,0 +1,20 @@
+type mediacodec_google, domain;
+type mediacodec_google_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mediacodec_google)
+
+hal_server_domain(mediacodec_google, hal_codec2)
+
+hal_client_domain(mediacodec_google, hal_graphics_allocator)
+
+allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
+
+# mediacodec_google should never execute any executable without a domain transition
+neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec_google domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;