commit 3e9f05faa3cb6e3c24e969805ef39cec792f940b
author Charles Chen <liangyuchen@google.com> Tue Jan 31 13:02:12 2023 +0000
committer Charlie Wang <charliewang@google.com> Wed Feb 08 15:48:25 2023 -0800
tree e89bb7368a2c5d384703c451e4394f60ead1a05b
parent f388934ffed0a811c2cf607a3cef0abc6ab7ef8e

Extension of isolated_compute_app for media services.

Support media use cases in isolated_compute_app such as decoding with MediaCodecs.

Bug:266943251
Test: m &&  manual - sample app with IsolatedProcess=True can use MediaCodec.

Change-Id: I864dcfb16494efada2fbd2a7d34b5d7f6b8128cb

private/isolated_compute_app.te

diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index 536261f..bde6195 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -20,11 +20,18 @@
 allow isolated_compute_app content_capture_service:service_manager find;
 allow isolated_compute_app device_state_service:service_manager find;
 allow isolated_compute_app speech_recognition_service:service_manager find;
+allow isolated_compute_app mediaserver_service:service_manager find;
 
 # Enable access to hardware services for camera functionalilites
 hal_client_domain(isolated_compute_app, hal_allocator)
 hwbinder_use(isolated_compute_app)
 
+allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
 #####
 ##### Neverallow
 #####

private/technical_debt.cil

diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 069bb10..27ea187 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -14,11 +14,11 @@
 
 ; Apps, except isolated apps, are clients of OMX-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app_all))))))
+(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
 
 ; Apps, except isolated apps, are clients of Codec2-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app_all))))))
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
 
 ; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
 ; Unfortunately, we can't currently express this in module policy language: