Properly define hal_codec2 and related policies
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice
Bug: 131677974
Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 3c5b921..23e1fd2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -311,9 +311,10 @@
neverallow all_untrusted_apps {
halserverdomain
-coredomain
+ -hal_cas_server
+ -hal_codec2_server
-hal_configstore_server
-hal_graphics_allocator_server
- -hal_cas_server
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
diff --git a/private/incidentd.te b/private/incidentd.te
index 6f10955..7b38911 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -90,6 +90,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/private/mediaserver.te b/private/mediaserver.te
index b1cf64a..635cf4e 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -6,3 +6,5 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index b1aa775..1236627 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -15,6 +15,7 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
diff --git a/private/system_server.te b/private/system_server.te
index 0d02657..f551780 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -116,6 +116,7 @@
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server mediaswcodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@@ -206,6 +207,7 @@
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_face)
@@ -275,6 +277,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index d1215fe..289f69e 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -16,6 +16,10 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;