diff options
author | Changyeon Jo | 2019-03-04 14:19:41 -0600 |
---|---|---|
committer | Changyeon Jo | 2019-03-04 20:24:21 -0600 |
commit | d6dad36401659c46def6f6b88a80de078c719ee0 (patch) | |
tree | d22ce063ae594b3447df69d3a813b898a6563ca4 | |
parent | d81057e6b27ccfba6d424e1d580457900b510914 (diff) | |
download | platform-packages-services-car-d6dad36401659c46def6f6b88a80de078c719ee0.tar.gz platform-packages-services-car-d6dad36401659c46def6f6b88a80de078c719ee0.tar.xz platform-packages-services-car-d6dad36401659c46def6f6b88a80de078c719ee0.zip |
Updates EVS sepoliciesandroid-q-preview-6android-q-preview-5android-q-preview-4android-q-preview-2.5android-q-preview-1android-o-mr1-iot-release-1.0.10
Adds more permissions based on audit results.
Change-Id: Ia34a1581fd47dcb8dd3a12eaf62293f914ef0d4a
Signed-off-by: Changyeon Jo <changyeon@google.com>
-rw-r--r-- | evs/sepolicy/evs_app.te | 12 | ||||
-rw-r--r-- | evs/sepolicy/evs_driver.te | 12 | ||||
-rw-r--r-- | evs/sepolicy/evs_manager.te | 4 | ||||
-rw-r--r-- | evs/sepolicy/surfaceflinger.te | 2 |
4 files changed, 17 insertions, 13 deletions
diff --git a/evs/sepolicy/evs_app.te b/evs/sepolicy/evs_app.te index ef78f0b1..098499a5 100644 --- a/evs/sepolicy/evs_app.te +++ b/evs/sepolicy/evs_app.te | |||
@@ -2,6 +2,8 @@ | |||
2 | type evs_app, domain, coredomain; | 2 | type evs_app, domain, coredomain; |
3 | hal_client_domain(evs_app, hal_evs) | 3 | hal_client_domain(evs_app, hal_evs) |
4 | hal_client_domain(evs_app, hal_vehicle) | 4 | hal_client_domain(evs_app, hal_vehicle) |
5 | hal_client_domain(evs_app, hal_configstore) | ||
6 | hal_client_domain(evs_app, hal_graphics_allocator) | ||
5 | 7 | ||
6 | # allow init to launch processes in this context | 8 | # allow init to launch processes in this context |
7 | type evs_app_exec, exec_type, file_type; | 9 | type evs_app_exec, exec_type, file_type; |
@@ -13,10 +15,6 @@ allow evs_app evs_app_files:file { getattr open read }; | |||
13 | allow evs_app evs_app_files:dir search; | 15 | allow evs_app evs_app_files:dir search; |
14 | 16 | ||
15 | # Allow use of gralloc buffers and EGL | 17 | # Allow use of gralloc buffers and EGL |
16 | allow evs_app hal_graphics_allocator_default:fd use; | 18 | allow evs_app gpu_device:chr_file rw_file_perms; |
17 | allow evs_app gpu_device:chr_file ioctl; | 19 | allow evs_app ion_device:chr_file r_file_perms; |
18 | allow evs_app gpu_device:chr_file { getattr open read write }; | 20 | allow evs_app system_file:dir r_dir_perms; |
19 | |||
20 | # Permit communication with the vehicle HAL | ||
21 | # (Communcations with the rest of the EVS stack is allowed via hal_evs) | ||
22 | binder_call(evs_app, hal_vehicle); | ||
diff --git a/evs/sepolicy/evs_driver.te b/evs/sepolicy/evs_driver.te index 5d316a49..dcf67003 100644 --- a/evs/sepolicy/evs_driver.te +++ b/evs/sepolicy/evs_driver.te | |||
@@ -5,16 +5,16 @@ hal_server_domain(hal_evs_driver, hal_evs) | |||
5 | # allow init to launch processes in this context | 5 | # allow init to launch processes in this context |
6 | type hal_evs_driver_exec, exec_type, file_type; | 6 | type hal_evs_driver_exec, exec_type, file_type; |
7 | init_daemon_domain(hal_evs_driver) | 7 | init_daemon_domain(hal_evs_driver) |
8 | binder_use(hal_evs_driver) | ||
8 | 9 | ||
9 | # Allow use of USB devices, gralloc buffers, and surface flinger | 10 | # Allow use of USB devices, gralloc buffers, and surface flinger |
10 | allow hal_evs_driver device:dir { open read }; | 11 | allow hal_evs_driver device:dir { open read }; |
11 | allow hal_evs_driver video_device:chr_file { ioctl open read write }; | 12 | allow hal_evs_driver video_device:chr_file rw_file_perms; |
12 | hal_client_domain(hal_evs_driver, hal_graphics_allocator); | 13 | hal_client_domain(hal_evs_driver, hal_graphics_allocator); |
14 | hal_client_domain(hal_evs_driver, hal_graphics_composer) | ||
15 | hal_client_domain(hal_evs_driver, hal_configstore) | ||
13 | 16 | ||
14 | allow hal_evs_driver gpu_device:chr_file { getattr ioctl open read write }; | 17 | allow hal_evs_driver gpu_device:chr_file rw_file_perms; |
15 | binder_call(hal_evs_driver, surfaceflinger); | 18 | binder_call(hal_evs_driver, surfaceflinger); |
16 | allow hal_evs_driver surfaceflinger_service:service_manager find; | 19 | allow hal_evs_driver surfaceflinger_service:service_manager find; |
17 | allow hal_evs_driver hal_graphics_composer_default:fd use; | 20 | allow hal_evs_driver ion_device:chr_file r_file_perms; |
18 | allow hal_evs_driver hal_graphics_allocator_default_tmpfs:file { read write }; | ||
19 | allow hal_evs_driver self:capability dac_override; | ||
20 | allow hal_evs_driver servicemanager:binder call; | ||
diff --git a/evs/sepolicy/evs_manager.te b/evs/sepolicy/evs_manager.te index 1f99d964..58ea6aaa 100644 --- a/evs/sepolicy/evs_manager.te +++ b/evs/sepolicy/evs_manager.te | |||
@@ -2,7 +2,11 @@ | |||
2 | type evs_manager, domain, coredomain; | 2 | type evs_manager, domain, coredomain; |
3 | hal_server_domain(evs_manager, hal_evs) | 3 | hal_server_domain(evs_manager, hal_evs) |
4 | hal_client_domain(evs_manager, hal_evs) | 4 | hal_client_domain(evs_manager, hal_evs) |
5 | add_hwservice(hal_evs, hal_evs_hwservice) | ||
5 | 6 | ||
6 | # allow init to launch processes in this context | 7 | # allow init to launch processes in this context |
7 | type evs_manager_exec, exec_type, file_type; | 8 | type evs_manager_exec, exec_type, file_type; |
8 | init_daemon_domain(evs_manager) | 9 | init_daemon_domain(evs_manager) |
10 | |||
11 | # allow use of hwservices | ||
12 | allow evs_manager hal_graphics_allocator_default:fd use; | ||
diff --git a/evs/sepolicy/surfaceflinger.te b/evs/sepolicy/surfaceflinger.te new file mode 100644 index 00000000..69affc0c --- /dev/null +++ b/evs/sepolicy/surfaceflinger.te | |||
@@ -0,0 +1,2 @@ | |||
1 | allow surfaceflinger hal_evs_driver:fd use; | ||
2 | allow surfaceflinger hal_evs_driver:binder call; | ||