commit 52fb3edbb6714a3a347c50c6e9dc430de0260f98
author Chong Zhang <chz@google.com> Fri Aug 31 14:42:11 2018 -0700
committer Chong Zhang <chz@google.com> Mon Oct 15 21:06:53 2018 +0000
tree 94175cefea1f6bc5b20a4442ee1fb3f2d10d2d41
parent 3a3a77d4e1a731d8416e845710cdfde0734f753f

add media.codec.update service

Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.

Bug: 111407413
Bug: 117290290

Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index 0645779..c2a4ca1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -98,6 +98,7 @@
 media.extractor                           u:object_r:mediaextractor_service:s0
 media.extractor.update                    u:object_r:mediaextractor_update_service:s0
 media.codec                               u:object_r:mediacodec_service:s0
+media.codec.update                        u:object_r:mediaextractor_update_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
 media.drm                                 u:object_r:mediadrmserver_service:s0

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index fa476dd..42058f4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -494,6 +494,7 @@
     -webview_zygote
     -zygote
     userdebug_or_eng(`-mediaextractor')
+    userdebug_or_eng(`-mediaswcodec')
 } {
     file_type
     -system_file_type
@@ -1557,3 +1558,9 @@
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
 
+neverallow {
+  domain
+  userdebug_or_eng(`-mediaextractor')
+  userdebug_or_eng(`-mediaswcodec')
+} mediaextractor_update_service:service_manager add;
+

public/mediaextractor.te

diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 9e07efd..8f58868 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -37,7 +37,7 @@
 
 userdebug_or_eng(`
   # Allow extractor to add update service.
-  add_service(mediaextractor, mediaextractor_update_service)
+  allow mediaextractor mediaextractor_update_service:service_manager { find add };
 
   # Allow extractor to load media extractor plugins from update apk.
   allow mediaextractor apk_data_file:dir search;

public/mediaswcodec.te

diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 1b1097b..9702562 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -7,3 +7,12 @@
 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
+userdebug_or_eng(`
+  binder_use(mediaswcodec)
+  # Add mediaextractor_update_service service
+  allow mediaswcodec mediaextractor_update_service:service_manager { find add };
+
+  # Allow mediaswcodec to load libs from update apk.
+  allow mediaswcodec apk_data_file:file { open read execute getattr map };
+  allow mediaswcodec apk_data_file:dir { search getattr };
+')