summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChangyeon Jo2019-03-05 11:22:48 -0600
committerandroid-build-merger2019-03-05 11:22:48 -0600
commit36b55d44a0489ff35964ae2ef8d78dc2b2e3b274 (patch)
treed22ce063ae594b3447df69d3a813b898a6563ca4
parent9f60af281b78f16e8b5cf20f74a62cc90f0a0b6b (diff)
parentd6dad36401659c46def6f6b88a80de078c719ee0 (diff)
downloadplatform-packages-services-car-36b55d44a0489ff35964ae2ef8d78dc2b2e3b274.tar.gz
platform-packages-services-car-36b55d44a0489ff35964ae2ef8d78dc2b2e3b274.tar.xz
platform-packages-services-car-36b55d44a0489ff35964ae2ef8d78dc2b2e3b274.zip
Updates EVS sepolicies
am: d6dad36401 Change-Id: I6474fff593042bcf3d4ad49da1b3d6196df7ed3c
-rw-r--r--evs/sepolicy/evs_app.te12
-rw-r--r--evs/sepolicy/evs_driver.te12
-rw-r--r--evs/sepolicy/evs_manager.te4
-rw-r--r--evs/sepolicy/surfaceflinger.te2
4 files changed, 17 insertions, 13 deletions
diff --git a/evs/sepolicy/evs_app.te b/evs/sepolicy/evs_app.te
index ef78f0b1..098499a5 100644
--- a/evs/sepolicy/evs_app.te
+++ b/evs/sepolicy/evs_app.te
@@ -2,6 +2,8 @@
2type evs_app, domain, coredomain; 2type evs_app, domain, coredomain;
3hal_client_domain(evs_app, hal_evs) 3hal_client_domain(evs_app, hal_evs)
4hal_client_domain(evs_app, hal_vehicle) 4hal_client_domain(evs_app, hal_vehicle)
5hal_client_domain(evs_app, hal_configstore)
6hal_client_domain(evs_app, hal_graphics_allocator)
5 7
6# allow init to launch processes in this context 8# allow init to launch processes in this context
7type evs_app_exec, exec_type, file_type; 9type evs_app_exec, exec_type, file_type;
@@ -13,10 +15,6 @@ allow evs_app evs_app_files:file { getattr open read };
13allow evs_app evs_app_files:dir search; 15allow evs_app evs_app_files:dir search;
14 16
15# Allow use of gralloc buffers and EGL 17# Allow use of gralloc buffers and EGL
16allow evs_app hal_graphics_allocator_default:fd use; 18allow evs_app gpu_device:chr_file rw_file_perms;
17allow evs_app gpu_device:chr_file ioctl; 19allow evs_app ion_device:chr_file r_file_perms;
18allow evs_app gpu_device:chr_file { getattr open read write }; 20allow evs_app system_file:dir r_dir_perms;
19
20# Permit communication with the vehicle HAL
21# (Communcations with the rest of the EVS stack is allowed via hal_evs)
22binder_call(evs_app, hal_vehicle);
diff --git a/evs/sepolicy/evs_driver.te b/evs/sepolicy/evs_driver.te
index 5d316a49..dcf67003 100644
--- a/evs/sepolicy/evs_driver.te
+++ b/evs/sepolicy/evs_driver.te
@@ -5,16 +5,16 @@ hal_server_domain(hal_evs_driver, hal_evs)
5# allow init to launch processes in this context 5# allow init to launch processes in this context
6type hal_evs_driver_exec, exec_type, file_type; 6type hal_evs_driver_exec, exec_type, file_type;
7init_daemon_domain(hal_evs_driver) 7init_daemon_domain(hal_evs_driver)
8binder_use(hal_evs_driver)
8 9
9# Allow use of USB devices, gralloc buffers, and surface flinger 10# Allow use of USB devices, gralloc buffers, and surface flinger
10allow hal_evs_driver device:dir { open read }; 11allow hal_evs_driver device:dir { open read };
11allow hal_evs_driver video_device:chr_file { ioctl open read write }; 12allow hal_evs_driver video_device:chr_file rw_file_perms;
12hal_client_domain(hal_evs_driver, hal_graphics_allocator); 13hal_client_domain(hal_evs_driver, hal_graphics_allocator);
14hal_client_domain(hal_evs_driver, hal_graphics_composer)
15hal_client_domain(hal_evs_driver, hal_configstore)
13 16
14allow hal_evs_driver gpu_device:chr_file { getattr ioctl open read write }; 17allow hal_evs_driver gpu_device:chr_file rw_file_perms;
15binder_call(hal_evs_driver, surfaceflinger); 18binder_call(hal_evs_driver, surfaceflinger);
16allow hal_evs_driver surfaceflinger_service:service_manager find; 19allow hal_evs_driver surfaceflinger_service:service_manager find;
17allow hal_evs_driver hal_graphics_composer_default:fd use; 20allow hal_evs_driver ion_device:chr_file r_file_perms;
18allow hal_evs_driver hal_graphics_allocator_default_tmpfs:file { read write };
19allow hal_evs_driver self:capability dac_override;
20allow hal_evs_driver servicemanager:binder call;
diff --git a/evs/sepolicy/evs_manager.te b/evs/sepolicy/evs_manager.te
index 1f99d964..58ea6aaa 100644
--- a/evs/sepolicy/evs_manager.te
+++ b/evs/sepolicy/evs_manager.te
@@ -2,7 +2,11 @@
2type evs_manager, domain, coredomain; 2type evs_manager, domain, coredomain;
3hal_server_domain(evs_manager, hal_evs) 3hal_server_domain(evs_manager, hal_evs)
4hal_client_domain(evs_manager, hal_evs) 4hal_client_domain(evs_manager, hal_evs)
5add_hwservice(hal_evs, hal_evs_hwservice)
5 6
6# allow init to launch processes in this context 7# allow init to launch processes in this context
7type evs_manager_exec, exec_type, file_type; 8type evs_manager_exec, exec_type, file_type;
8init_daemon_domain(evs_manager) 9init_daemon_domain(evs_manager)
10
11# allow use of hwservices
12allow evs_manager hal_graphics_allocator_default:fd use;
diff --git a/evs/sepolicy/surfaceflinger.te b/evs/sepolicy/surfaceflinger.te
new file mode 100644
index 00000000..69affc0c
--- /dev/null
+++ b/evs/sepolicy/surfaceflinger.te
@@ -0,0 +1,2 @@
1allow surfaceflinger hal_evs_driver:fd use;
2allow surfaceflinger hal_evs_driver:binder call;