Merge "Combine platform and vendor seccomp policy at runtime"

# service executable

include $(CLEAR_VARS)

LOCAL_REQUIRED_MODULES_arm := mediacodec-seccomp.policy

LOCAL_REQUIRED_MODULES_arm := mediacodec.policy

LOCAL_SRC_FILES := main_codecservice.cpp

LOCAL_SHARED_LIBRARIES := \

    libmedia \

LOCAL_INIT_RC := mediacodec.rc

include $(BUILD_EXECUTABLE)

# service seccomp policy

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))

include $(CLEAR_VARS)

LOCAL_MODULE := mediacodec.policy

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy

# mediacodec runs in 32-bit combatibility mode. For 64 bit architectures,

# use the 32 bit policy

ifdef TARGET_2ND_ARCH

    LOCAL_SRC_FILES := seccomp_policy/mediacodec-$(TARGET_2ND_ARCH).policy

else

    LOCAL_SRC_FILES := seccomp_policy/mediacodec-$(TARGET_ARCH).policy

endif

include $(BUILD_PREBUILT)

endif

include $(call all-makefiles-under, $(LOCAL_PATH))

using namespace android;

// Must match location in Android.mk.

static const char kSeccompPolicyPath[] = "/system/etc/seccomp_policy/mediacodec-seccomp.policy";

static const char kSystemSeccompPolicyPath[] =

        "/system/etc/seccomp_policy/mediacodec.policy";

static const char kVendorSeccompPolicyPath[] =

        "/vendor/etc/seccomp_policy/mediacodec.policy";

int main(int argc __unused, char** argv)

{

    LOG(INFO) << "mediacodecservice starting";

    signal(SIGPIPE, SIG_IGN);

    SetUpMinijail(kSeccompPolicyPath, std::string());

    SetUpMinijail(kSystemSeccompPolicyPath, kVendorSeccompPolicyPath);

    strcpy(argv[0], "media.codec");

LOCAL_PATH := $(call my-dir)

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))

include $(CLEAR_VARS)

LOCAL_MODULE := mediacodec-seccomp.policy

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy

# mediacodec runs in 32-bit combatibility mode. For 64 bit architectures,

# use the 32 bit policy

ifdef TARGET_2ND_ARCH

    LOCAL_SRC_FILES := $(LOCAL_PATH)/seccomp_policy/mediacodec-seccomp-$(TARGET_2ND_ARCH).policy

else

    LOCAL_SRC_FILES := $(LOCAL_PATH)/seccomp_policy/mediacodec-seccomp-$(TARGET_ARCH).policy

endif

# allow device specific additions to the syscall whitelist

LOCAL_SRC_FILES += $(wildcard $(foreach dir, $(BOARD_SECCOMP_POLICY), \

                     $(dir)/mediacodec-seccomp.policy))

include $(BUILD_SYSTEM)/base_rules.mk

$(LOCAL_BUILT_MODULE): $(LOCAL_SRC_FILES)

	@mkdir -p $(dir $@)

	$(hide) cat > $@ $^

endif

# service executable

include $(CLEAR_VARS)

# seccomp filters are defined for the following architectures:

LOCAL_REQUIRED_MODULES_arm := mediaextractor-seccomp.policy

LOCAL_REQUIRED_MODULES_arm64 := mediaextractor-seccomp.policy

LOCAL_REQUIRED_MODULES_x86 := mediaextractor-seccomp.policy

# TODO add seccomp filter for x86_64.

LOCAL_REQUIRED_MODULES_arm := mediaextractor.policy

LOCAL_REQUIRED_MODULES_arm64 := mediaextractor.policy

LOCAL_REQUIRED_MODULES_x86 := mediaextractor.policy

LOCAL_SRC_FILES := main_extractorservice.cpp

LOCAL_SHARED_LIBRARIES := libmedia libmediaextractorservice libbinder libutils \

    liblog libbase libicuuc libavservices_minijail

LOCAL_C_INCLUDES := frameworks/av/media/libmedia

include $(BUILD_EXECUTABLE)

include $(call all-makefiles-under, $(LOCAL_PATH))

# service seccomp filter

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64 x86))

include $(CLEAR_VARS)

LOCAL_MODULE := mediaextractor.policy

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy

LOCAL_SRC_FILES := seccomp_policy/mediaextractor-$(TARGET_ARCH).policy

include $(BUILD_PREBUILT)

endif