Remove mediacodec from binder violators. The new binder_call() lines had to be added because this change removes mediacodec from binderservicedomain (on full-treble), hence domains that could previously reach mediacodec with binder_call(domain, binderservicedomain) now need explicit calls instead. Test: Youtube, Netflix, Maps, Chrome, Music Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829

commit: fc80f4808289184f1cbb23cca54c4b4447c8bbb3 [log] [tgz]
author: Martijn Coenen <maco@google.com> Sat Apr 15 08:09:08 2017 -0700
committer: Martijn Coenen <maco@google.com> Sat Apr 15 21:48:56 2017 -0700
tree: 379ed1cca5bc4c944d1318b73b8a690ba91c1e95
parent: e506cda3123444f0293c13c9afcb2f5327e3bcbc [diff]
diff --git a/private/app.te b/private/app.te
index d6dc48c..2fddb44 100644
--- a/private/app.te
+++ b/private/app.te

@@ -273,6 +273,9 @@
 # Allow app to access the graphic allocator HAL
 binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
 
+# Allow app access to mediacodec (IOMX HAL)
+binder_call({ appdomain -isolated_app }, mediacodec)
+
 # App can access configstore HAL which is read only
 binder_call({ appdomain -isolated_app }, hal_configstore)
 

diff --git a/private/system_server.te b/private/system_server.te
index e200bef..0f0dcdc 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -199,6 +199,8 @@
 
 hal_client_domain(system_server, hal_wifi_supplicant)
 
+binder_call(system_server, mediacodec)
+
 # Talk with graphics composer fences
 allow system_server hal_graphics_composer:fd use;
commit	fc80f4808289184f1cbb23cca54c4b4447c8bbb3	[log] [tgz]
author	Martijn Coenen <maco@google.com>	Sat Apr 15 08:09:08 2017 -0700
committer	Martijn Coenen <maco@google.com>	Sat Apr 15 21:48:56 2017 -0700
tree	379ed1cca5bc4c944d1318b73b8a690ba91c1e95
parent	e506cda3123444f0293c13c9afcb2f5327e3bcbc [diff]