commit 7baf725ea63c9db5a360ba3d4516c30e2ad18d4a
author Steven Moreland <smoreland@google.com> Fri May 25 16:23:37 2018 -0700
committer Steven Moreland <smoreland@google.com> Wed May 30 18:12:32 2018 +0000
tree 61357c21686cf8461100943ae48f04fb60a45b54
parent db459a1b71252524b2e019ff70cbe1079e127b9e

mediacodec->mediacodec+hal_omx{,_server,_client}

(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index de6ad7b..f74159e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -105,7 +105,7 @@
 allow system_server audioserver:process { getsched setsched };
 allow system_server hal_audio:process { getsched setsched };
 allow system_server hal_bluetooth:process { getsched setsched };
-allow system_server mediacodec:process { getsched setsched };
+allow system_server hal_omx_server:process { getsched setsched };
 allow system_server cameraserver:process { getsched setsched };
 allow system_server hal_camera:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };
@@ -114,9 +114,9 @@
 # Allow system_server to write to /proc/<pid>/timerslack_ns
 allow system_server appdomain:file w_file_perms;
 allow system_server audioserver:file w_file_perms;
-allow system_server mediacodec:file w_file_perms;
 allow system_server cameraserver:file w_file_perms;
 allow system_server hal_audio_server:file w_file_perms;
+allow system_server hal_omx_server:file w_file_perms;
 
 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker
 # within system_server to keep track of memory and CPU usage for
@@ -201,9 +201,7 @@
 hal_client_domain(system_server, hal_memtrack)
 hal_client_domain(system_server, hal_neuralnetworks)
 hal_client_domain(system_server, hal_oemlock)
-allow system_server hal_codec2_hwservice:hwservice_manager find;
-allow system_server hal_omx_hwservice:hwservice_manager find;
-allow system_server hidl_token_hwservice:hwservice_manager find;
+hal_client_domain(system_server, hal_omx)
 hal_client_domain(system_server, hal_power)
 hal_client_domain(system_server, hal_sensors)
 hal_client_domain(system_server, hal_tetheroffload)
@@ -220,8 +218,6 @@
 hal_client_domain(system_server, hal_wifi_offload)
 hal_client_domain(system_server, hal_wifi_supplicant)
 
-binder_call(system_server, mediacodec)
-
 # Talk with graphics composer fences
 allow system_server hal_graphics_composer:fd use;
 
@@ -261,9 +257,9 @@
   hal_bluetooth_server
   hal_camera_server
   hal_graphics_composer_server
+  hal_omx_server
   hal_sensors_server
   hal_vr_server
-  mediacodec # TODO(b/36375899): hal_omx_server
 }:process { signal };
 
 # Use sockets received over binder from various services.