mediaswcodec: Fix selinux and seccomp policy denials

Fix mediaswcodec selinux and seccomp denials for video
playback to work with software codecs.

mediaswcodec need gpu access, plus it also crashes with
following seccomp error during video playback:

E media.swcodec: libminijail[2139]: blocked syscall: sysinfo

So whitelist sysinfo syscall for mediaswcodec.

Change-Id: I11db36aeda475c4ca73121efb8b2bfd3d7590be0
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

3 files changed, 8 insertions, 0 deletions

diff --git a/device-common.mk b/device-common.mk
index 1ebe719..d0f540e 100644
--- a/device-common.mk
+++ b/device-common.mk
@@ -135,6 +135,9 @@ PRODUCT_COPY_FILES += \
     frameworks/av/media/libstagefright/data/media_codecs_google_video.xml:$(TARGET_COPY_OUT_VENDOR)/etc/media_codecs_google_video.xml \
     frameworks/av/media/libstagefright/data/media_codecs_google_audio.xml:$(TARGET_COPY_OUT_VENDOR)/etc/media_codecs_google_audio.xml
 
+PRODUCT_COPY_FILES += \
+    $(LOCAL_PATH)/seccomp_policy/mediaswcodec.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/mediaswcodec.policy
+
 # Memtrack
 PRODUCT_PACKAGES += \
     memtrack.default \
diff --git a/seccomp_policy/mediaswcodec.policy b/seccomp_policy/mediaswcodec.policy
new file mode 100644
index 0000000..4c148fb
--- /dev/null
+++ b/seccomp_policy/mediaswcodec.policy
@@ -0,0 +1,3 @@
+# device specific syscalls
+# extension of frameworks/av/services/mediacodec/seccomp_policy/mediaswcodec-arm64.policy
+sysinfo: 1
diff --git a/sepolicy/mediaswcodec.te b/sepolicy/mediaswcodec.te
new file mode 100644
index 0000000..57fb75c
--- /dev/null
+++ b/sepolicy/mediaswcodec.te
@@ -0,0 +1,2 @@
+gpu_access(mediaswcodec)
+allow mediaswcodec gpu_device:chr_file { getattr ioctl map open read write };