Remove mediacodec from binder violators.
The new binder_call() lines had to be added
because this change removes mediacodec from
binderservicedomain (on full-treble), hence
domains that could previously reach mediacodec
with binder_call(domain, binderservicedomain)
now need explicit calls instead.
Test: Youtube, Netflix, Maps, Chrome, Music
Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829
diff --git a/public/mediacodec.te b/public/mediacodec.te
index e4801b6..3445c7a 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -15,19 +15,17 @@
not_full_treble(`
# on legacy devices, continue to allow /dev/binder traffic
binder_use(mediacodec)
+ binder_service(mediacodec)
+ add_service(mediacodec, mediacodec_service)
+ allow mediacodec mediametrics_service:service_manager find;
+ allow mediacodec surfaceflinger_service:service_manager find;
')
binder_call(mediacodec, binderservicedomain)
binder_call(mediacodec, appdomain)
-binder_service(mediacodec)
# Allow mediacodec access to composer sync fences
allow mediacodec hal_graphics_composer:fd use;
-# TODO(b/36604251): Remove this once OMX HAL stops using Binder
-typeattribute mediacodec binder_in_vendor_violators;
-add_service(mediacodec, mediacodec_service)
-allow mediacodec mediametrics_service:service_manager find;
-allow mediacodec surfaceflinger_service:service_manager find;
allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;