Merge "selinux rules for codec process" into nyc-dev
diff --git a/dumpstate.te b/dumpstate.te
index 16be441..f7a84f6 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,9 +48,9 @@
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { audioserver cameraserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
+allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:process signal;
# Ask debuggerd for the backtraces of these processes.
-allow dumpstate { audioserver cameraserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file_contexts b/file_contexts
index 1195ebd..94702b4 100644
--- a/file_contexts
+++ b/file_contexts
@@ -168,6 +168,7 @@
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
+/system/bin/mediacodec u:object_r:mediacodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt u:object_r:otapreopt_exec:s0
diff --git a/mediacodec.te b/mediacodec.te
new file mode 100644
index 0000000..cf2047c
--- /dev/null
+++ b/mediacodec.te
@@ -0,0 +1,29 @@
+# mediacodec - audio and video codecs live here
+type mediacodec, domain;
+type mediacodec_exec, exec_type, file_type;
+
+typeattribute mediacodec mlstrustedsubject;
+
+init_daemon_domain(mediacodec)
+
+binder_use(mediacodec)
+binder_call(mediacodec, binderservicedomain)
+binder_call(mediacodec, appdomain)
+binder_service(mediacodec)
+
+allow mediacodec mediacodec_service:service_manager add;
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+allow mediacodec ion_device:chr_file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# mediacodec should never execute any executable without a
+# domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# mediacodec should never need network access. Disallow all sockets
+# other than those needed for normal system functions
+neverallow mediacodec { domain -debuggerd -dumpstate -adbd -mediacodec -logd userdebug_or_eng(`-su')}:socket_class_set *;
diff --git a/mediaserver.te b/mediaserver.te
index 38c0af2..bdfcd50 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -95,6 +95,7 @@
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
+allow mediaserver mediacodec_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
diff --git a/nfc.te b/nfc.te
index 2362139..2ca43dd 100644
--- a/nfc.te
+++ b/nfc.te
@@ -21,6 +21,7 @@
allow nfc mediaserver_service:service_manager find;
allow nfc audioserver_service:service_manager find;
allow nfc mediaextractor_service:service_manager find;
+allow nfc mediacodec_service:service_manager find;
allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 7730054..eaf863a 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -43,6 +43,7 @@
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
+allow platform_app mediacodec_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
diff --git a/priv_app.te b/priv_app.te
index 59c599c..de682d7 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -24,6 +24,7 @@
allow priv_app drmserver_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
+allow priv_app mediacodec_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app surfaceflinger_service:service_manager find;
diff --git a/service.te b/service.te
index 45f1c87..4d1cfa8 100644
--- a/service.te
+++ b/service.te
@@ -10,6 +10,7 @@
type keystore_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediaextractor_service, service_manager_type;
+type mediacodec_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index ec1194b..fe58082 100644
--- a/service_contexts
+++ b/service_contexts
@@ -68,6 +68,7 @@
media.log u:object_r:audioserver_service:s0
media.player u:object_r:mediaserver_service:s0
media.extractor u:object_r:mediaextractor_service:s0
+media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.radio u:object_r:audioserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
diff --git a/system_server.te b/system_server.te
index e8c52ff..8736533 100644
--- a/system_server.te
+++ b/system_server.te
@@ -139,13 +139,14 @@
binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { audioserver cameraserver mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { audioserver cameraserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Read /proc/pid files for dumping stack traces of native processes.
r_dir_file(system_server, audioserver)
r_dir_file(system_server, cameraserver)
r_dir_file(system_server, mediaserver)
r_dir_file(system_server, mediaextractor)
+r_dir_file(system_server, mediacodec)
r_dir_file(system_server, sdcardd)
r_dir_file(system_server, surfaceflinger)
r_dir_file(system_server, inputflinger)
@@ -390,6 +391,7 @@
allow system_server fingerprintd_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
+allow system_server mediacodec_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
diff --git a/untrusted_app.te b/untrusted_app.te
index 89dbfdd..2077e83 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,6 +72,7 @@
allow untrusted_app healthd_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;
allow untrusted_app mediaextractor_service:service_manager find;
+allow untrusted_app mediacodec_service:service_manager find;
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;