Allow binder services to r/w su:tcp_socket Test: binderHostDeviceTest Bug: 182914638 Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9

commit: be04b091bbfcdddcac39b474631c77ed47a1a4aa [log] [tgz]
author: Yifan Hong <elsk@google.com> Mon Jun 07 12:37:31 2021 -0700
committer: Yifan Hong <elsk@google.com> Tue Jun 08 10:39:02 2021 -0700
tree: f2b28f41cfe7a8df57ab15268b724d9c73a3e975
parent: c4efcbdc069bbdba3171ab482ac936c1fed7d11e [diff] [blame]
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index f78b58f..8587e12 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te

@@ -34,5 +34,6 @@
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediacodec domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
commit	be04b091bbfcdddcac39b474631c77ed47a1a4aa	[log] [tgz]
author	Yifan Hong <elsk@google.com>	Mon Jun 07 12:37:31 2021 -0700
committer	Yifan Hong <elsk@google.com>	Tue Jun 08 10:39:02 2021 -0700
tree	f2b28f41cfe7a8df57ab15268b724d9c73a3e975
parent	c4efcbdc069bbdba3171ab482ac936c1fed7d11e [diff] [blame]