Diff - a01bc1d315713b65dfc61251878ea51357d31836^! - android_device_google_gs-common

commit	a01bc1d315713b65dfc61251878ea51357d31836	[log] [tgz]
author	Ernie Hsu <erniehsu@google.com>	Tue Aug 27 03:32:27 2024 +0000
committer	Ernie Hsu <erniehsu@google.com>	Tue Aug 27 05:29:18 2024 +0000
tree	d532785041446efefdf54b13076824cb501c35ca
parent	e4506b01593d5d994b767b6a0081627983a05db9 [diff]

mediacodec: fix vpu device sepolicy for video playback

08-27 11:30:17.500   734   734 I binder:734_4: type=1400 audit(0.0:1288): avc:  denied  { read write } for  name="vpu" dev="tmpfs" ino=1585 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1
08-27 11:30:17.500   734   734 I binder:734_4: type=1400 audit(0.0:1289): avc:  denied  { open } for  path="/dev/vpu" dev="tmpfs" ino=1585 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1
08-27 11:30:17.500   734   734 I binder:734_4: type=1400 audit(0.0:1290): avc:  denied  { ioctl } for  path="/dev/vpu" dev="tmpfs" ino=1585 ioctlcmd=0x4200 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1
08-27 11:30:17.500   734   734 I binder:734_4: type=1400 audit(0.0:1291): avc:  denied  { map } for  path="/dev/vpu" dev="tmpfs" ino=1585 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1
08-27 11:30:18.944   734   734 I FetchThread: type=1400 audit(0.0:1292): avc:  denied  { ioctl } for  path="/dev/vpu" dev="tmpfs" ino=1585 ioctlcmd=0x4207 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1

Bug: 353638738
Flag: EXEMPT bugfix
Test: video playback
Change-Id: I8ad4507693a4a0fbbd2709bd79d25b1ef4109904

diff --git a/mediacodec/vpu/sepolicy/mediacodec_google.te b/mediacodec/vpu/sepolicy/mediacodec_google.te
index 2c5d1cb..e0f5d7f 100644
--- a/mediacodec/vpu/sepolicy/mediacodec_google.te
+++ b/mediacodec/vpu/sepolicy/mediacodec_google.te

@@ -8,6 +8,7 @@
 hal_client_domain(mediacodec_google, hal_graphics_allocator)
 
 allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediacodec_google video_device:chr_file { read write open ioctl map };
 
 # mediacodec_google should never execute any executable without a domain transition
 neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;