C2 AIDL sepolicy update
Bug: 251850069
Test: presubmit
Change-Id: Ica39920472de154aa01b8e270297553aedda6782
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 345a9d2..e53f468 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -70,6 +70,8 @@
"android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/software": EXCEPTION_NO_FUZZER,
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
"android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
"android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index e16be89..60b9ba6 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,6 +9,7 @@
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
+ hal_codec2_service
hal_threadnetwork_service
virtual_camera_service
ot_daemon_service
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index d5e8a74..5d4070d 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -21,6 +21,8 @@
hal_client_domain(isolated_compute_app, hal_allocator)
hwbinder_use(isolated_compute_app)
+hal_client_domain(isolated_compute_app, hal_codec2)
+
allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
# Allow access to network sockets received over IPC. New socket creation is not
diff --git a/private/service_contexts b/private/service_contexts
index 71bd7e4..746cde1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -51,6 +51,8 @@
android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.media.c2.IComponentStore/default u:object_r:hal_codec2_service:s0
+android.hardware.media.c2.IComponentStore/software u:object_r:hal_codec2_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index a379bb3..f05e00a 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -7,6 +7,7 @@
binder_call(hal_codec2_server, hal_codec2_client)
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+hal_attribute_service(hal_codec2, hal_codec2_service)
# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index edbab03..b3b26c1 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -21,7 +21,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
+neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/service.te b/public/service.te
index d2e6ca3..8cc5acc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -285,6 +285,7 @@
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
+type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 564ca9d..efe0b71 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -76,6 +76,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0