1*e4a36f41SAndroid Build Coastguard Worker# applies all permissions to hal_omx NOT hal_omx_server 2*e4a36f41SAndroid Build Coastguard Worker# since OMX must always be in its own process. 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Workerbinder_call(hal_omx_server, binderservicedomain) 5*e4a36f41SAndroid Build Coastguard Workerbinder_call(hal_omx_server, { appdomain -isolated_app }) 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Worker# Allow hal_omx_server access to composer sync fences 8*e4a36f41SAndroid Build Coastguard Workerallow hal_omx_server hal_graphics_composer:fd use; 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Workerallow hal_omx_server ion_device:chr_file rw_file_perms; 11*e4a36f41SAndroid Build Coastguard Workerallow hal_omx_server hal_camera:fd use; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Workercrash_dump_fallback(hal_omx_server) 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never 16*e4a36f41SAndroid Build Coastguard Worker# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge 17*e4a36f41SAndroid Build Coastguard Worker# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd 18*e4a36f41SAndroid Build Coastguard Worker# via PDX. Thus, there is no need to use pdx_client macro. 19*e4a36f41SAndroid Build Coastguard Workerallow hal_omx_server bufferhubd:fd use; 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Workerhal_attribute_hwservice(hal_omx, hal_omx_hwservice) 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Workerallow hal_omx_client hidl_token_hwservice:hwservice_manager find; 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Workerget_prop(hal_omx_client, media_variant_prop) 26*e4a36f41SAndroid Build Coastguard Workerget_prop(hal_omx_server, media_variant_prop) 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Workerbinder_call(hal_omx_client, hal_omx_server) 29*e4a36f41SAndroid Build Coastguard Workerbinder_call(hal_omx_server, hal_omx_client) 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker### 32*e4a36f41SAndroid Build Coastguard Worker### neverallow rules 33*e4a36f41SAndroid Build Coastguard Worker### 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# hal_omx_server should never execute any executable without a 36*e4a36f41SAndroid Build Coastguard Worker# domain transition 37*e4a36f41SAndroid Build Coastguard Workerneverallow hal_omx_server { file_type fs_type }:file execute_no_trans; 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker# The goal of the mediaserver split is to place media processing code into 40*e4a36f41SAndroid Build Coastguard Worker# restrictive sandboxes with limited responsibilities and thus limited 41*e4a36f41SAndroid Build Coastguard Worker# permissions. Example: Audioserver is only responsible for controlling audio 42*e4a36f41SAndroid Build Coastguard Worker# hardware and processing audio content. Cameraserver does the same for camera 43*e4a36f41SAndroid Build Coastguard Worker# hardware/content. Etc. 44*e4a36f41SAndroid Build Coastguard Worker# 45*e4a36f41SAndroid Build Coastguard Worker# Media processing code is inherently risky and thus should have limited 46*e4a36f41SAndroid Build Coastguard Worker# permissions and be isolated from the rest of the system and network. 47*e4a36f41SAndroid Build Coastguard Worker# Lengthier explanation here: 48*e4a36f41SAndroid Build Coastguard Worker# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html 49*e4a36f41SAndroid Build Coastguard Workerneverallow hal_omx_server domain:{ udp_socket rawip_socket } *; 50*e4a36f41SAndroid Build Coastguard Workerneverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *; 51