Merge "include policy files within media APEX files" into rvc-dev

    },

    prebuilts: [

        "mediaextractor.policy",

        "code_coverage.policy",

        "crash_dump.policy",

    ],

    key: "com.android.media.key",

    certificate: ":com.android.media.certificate",

        "com.android.media.swcodec-mediaswcodec.rc",

        "com.android.media.swcodec-ld.config.txt",

        "mediaswcodec.policy",

        "code_coverage.policy",

        "crash_dump.policy",

        "mediaswcodec.xml",

    ],

    use_vendor: true,

            src: "seccomp_policy/mediaswcodec-arm64.policy",

        },

        x86: {

            src: "seccomp_policy/mediacodec-x86.policy",

            src: "seccomp_policy/mediaswcodec-x86.policy",

        },

        x86_64: {

            src: "seccomp_policy/mediaswcodec-x86_64.policy",

        },

    },

    required: [

        "crash_dump.policy",

        "code_coverage.policy",

    ],

}

// media.codec -- the one that handles vendor & HW codecs

cc_binary {

    name: "android.hardware.media.omx@1.0-service",

    relative_install_path: "hw",

    vendor: true,

    srcs: [

        "main_codecservice.cpp",

    ],

    shared_libs: [

        "libbinder",

        "libutils",

        "liblog",

        "libbase",

        "libavservices_minijail",

        "libcutils",

        "libhidlbase",

        "libstagefright_omx",

        "libstagefright_xmlparser",

        "android.hardware.media.omx@1.0",

        "android.hidl.memory@1.0",

    ],

    // OMX interfaces force this to stay in 32-bit mode;

    compile_multilib: "32",

    init_rc: ["android.hardware.media.omx@1.0-service.rc"],

    required: [

        "mediacodec.policy",

    ],

    cflags: [

        "-Werror",

        "-Wall",

        "-Wno-error=deprecated-declarations",

    ],

}

prebuilt_etc {

    name: "mediacodec.policy",

    sub_dir: "seccomp_policy",

    arch: {

        arm: {

            src: "seccomp_policy/mediacodec-arm.policy",

        },

        arm64: {

            src: "seccomp_policy/mediacodec-arm64.policy",

        },

        x86: {

            src: "seccomp_policy/mediacodec-x86.policy",

        },

        x86_64: {

            src: "seccomp_policy/mediacodec-x86_64.policy",

        },

    },

    required: [

        "crash_dump.policy",

LOCAL_PATH := $(call my-dir)

_software_codecs := \

    libstagefright_soft_aacdec \

    libstagefright_soft_aacenc \

    libstagefright_soft_amrdec \

    libstagefright_soft_amrnbenc \

    libstagefright_soft_amrwbenc \

    libstagefright_soft_avcdec \

    libstagefright_soft_avcenc \

    libstagefright_soft_flacdec \

    libstagefright_soft_flacenc \

    libstagefright_soft_g711dec \

    libstagefright_soft_gsmdec \

    libstagefright_soft_hevcdec \

    libstagefright_soft_mp3dec \

    libstagefright_soft_mpeg2dec \

    libstagefright_soft_mpeg4dec \

    libstagefright_soft_mpeg4enc \

    libstagefright_soft_opusdec \

    libstagefright_soft_rawdec \

    libstagefright_soft_vorbisdec \

    libstagefright_soft_vpxdec \

    libstagefright_soft_vpxenc \

    libstagefright_softomx_plugin \

# service executable

include $(CLEAR_VARS)

# seccomp is not required for coverage build.

ifneq ($(NATIVE_COVERAGE),true)

LOCAL_REQUIRED_MODULES_arm := mediacodec.policy

LOCAL_REQUIRED_MODULES_x86 := mediacodec.policy

endif

LOCAL_SRC_FILES := main_codecservice.cpp

LOCAL_SHARED_LIBRARIES := \

    libbinder \

    libutils \

    liblog \

    libbase \

    libavservices_minijail \

    libcutils \

    libhidlbase \

    libstagefright_omx \

    libstagefright_xmlparser \

    android.hardware.media.omx@1.0 \

    android.hidl.memory@1.0

LOCAL_MODULE := android.hardware.media.omx@1.0-service

LOCAL_MODULE_RELATIVE_PATH := hw

LOCAL_VENDOR_MODULE := true

LOCAL_32_BIT_ONLY := true

# Since this is 32-bit-only module, only 32-bit version of the codecs are installed.

# TODO(b/72343507): eliminate the need for manually adding .vendor suffix. This should be done

# by the build system.

LOCAL_REQUIRED_MODULES += \

$(foreach codec,$(_software_codecs),\

  $(eval _vendor_suffix := $(if $(BOARD_VNDK_VERSION),.vendor))\

  $(codec)$(_vendor_suffix)\

)

_software_codecs :=

LOCAL_INIT_RC := android.hardware.media.omx@1.0-service.rc

include $(BUILD_EXECUTABLE)

####################################################################

# service seccomp policy

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), x86 x86_64 arm arm64))

include $(CLEAR_VARS)

LOCAL_MODULE := mediacodec.policy

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy

LOCAL_REQUIRED_MODULES := crash_dump.policy code_coverage.policy

# mediacodec runs in 32-bit combatibility mode. For 64 bit architectures,

# use the 32 bit policy

ifdef TARGET_2ND_ARCH

  ifneq ($(TARGET_TRANSLATE_2ND_ARCH),true)

    LOCAL_SRC_FILES := seccomp_policy/mediacodec-$(TARGET_2ND_ARCH).policy

  else

    LOCAL_SRC_FILES := seccomp_policy/mediacodec-$(TARGET_ARCH).policy

  endif

else

    LOCAL_SRC_FILES := seccomp_policy/mediacodec-$(TARGET_ARCH).policy

endif

include $(BUILD_PREBUILT)

endif

####################################################################

include $(call all-makefiles-under, $(LOCAL_PATH))

# Organized by frequency of systemcall - in descending order for

# best performance.

futex: 1

ioctl: 1

write: 1

prctl: 1

clock_gettime: 1

getpriority: 1

read: 1

close: 1

writev: 1

dup: 1

ppoll: 1

mmap2: 1

getrandom: 1

memfd_create: 1

ftruncate: 1

ftruncate64: 1

# mremap: Ensure |flags| are (MREMAP_MAYMOVE | MREMAP_FIXED) TODO: Once minijail

# parser support for '<' is in this needs to be modified to also prevent

# |old_address| and |new_address| from touching the exception vector page, which

# on ARM is statically loaded at 0xffff 0000. See

# http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0211h/Babfeega.html

# for more details.

mremap: arg3 == 3

munmap: 1

mprotect: 1

madvise: 1

openat: 1

sigaltstack: 1

clone: 1

setpriority: 1

getuid32: 1

fstat64: 1

fstatfs64: 1

pread64: 1

faccessat: 1

readlinkat: 1

exit: 1

rt_sigprocmask: 1

set_tid_address: 1

restart_syscall: 1

exit_group: 1

rt_sigreturn: 1

pipe2: 1

gettimeofday: 1

sched_yield: 1

nanosleep: 1

lseek: 1

_llseek: 1

sched_get_priority_max: 1

sched_get_priority_min: 1

statfs64: 1

sched_setscheduler: 1

fstatat64: 1

ugetrlimit: 1

getdents64: 1

getrandom: 1

@include /system/etc/seccomp_policy/crash_dump.arm.policy

@include /system/etc/seccomp_policy/code_coverage.arm.policy

# Copyright (C) 2017 The Android Open Source Project

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#      http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

read: 1

mprotect: 1

prctl: 1

openat: 1

open: 1

getuid32: 1

getuid: 1

getrlimit: 1

writev: 1

ioctl: 1

close: 1

mmap2: 1

mmap: 1

fstat64: 1

fstat: 1

stat64: 1

statfs64: 1

madvise: 1

fstatat64: 1

newfstatat: 1

futex: 1

munmap: 1

faccessat: 1

_llseek: 1

lseek: 1

clone: 1

sigaltstack: 1

setpriority: 1

restart_syscall: 1

exit: 1

exit_group: 1

rt_sigreturn: 1

ugetrlimit: 1

readlink: 1

readlinkat: 1

_llseek: 1

fstatfs64: 1

fstatfs: 1

pread64: 1

mremap: 1

dup: 1

set_tid_address: 1

write: 1

nanosleep: 1

sched_setscheduler: 1

uname: 1

memfd_create: 1

ftruncate: 1

ftruncate64: 1

# Required by AddressSanitizer

gettid: 1

sched_yield: 1

getpid: 1

gettid: 1

@include /system/etc/seccomp_policy/crash_dump.x86.policy

@include /system/etc/seccomp_policy/code_coverage.x86.policy