Update automotive display service rules

This change updates sepolicies for automotive display service to make it
available to the vendor processes.

Bug: 149017572
Test: m -j selinux_policy
Change-Id: I48708fe25e260f9302e02749c3777c0ca0d84e4b
Signed-off-by: Changyeon Jo <changyeon@google.com>
This commit is contained in:
Changyeon Jo 2020-02-07 00:57:16 +00:00
parent 749e119053
commit 17b38d526d
6 changed files with 32 additions and 15 deletions

View file

@ -1,20 +1,33 @@
# Display service for Automotive
type automotive_display, domain, coredomain;
type automotive_display_exec, system_file_type, exec_type, file_type;
# Display proxy service for Automotive
type automotive_display_service, domain, coredomain;
type automotive_display_service_exec, system_file_type, exec_type, file_type;
init_daemon_domain(automotive_display)
typeattribute automotive_display_service automotive_display_service_server;
# Allow to add a display service to the manager
add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
# Allow init to launch automotive display service
init_daemon_domain(automotive_display_service)
# Allow to use Binder IPC for SurfaceFlinger.
binder_use(automotive_display)
binder_use(automotive_display_service)
# Allow to use HwBinder IPC for HAL implementations.
hwbinder_use(automotive_display)
hwbinder_use(automotive_display_service)
hal_client_domain(automotive_display_service, hal_graphics_composer)
# Allow to read the target property.
get_prop(automotive_display, hwservicemanager_prop)
get_prop(automotive_display_service, hwservicemanager_prop)
# Allow to find SurfaceFlinger.
allow automotive_display surfaceflinger_service:service_manager find;
allow automotive_display_service surfaceflinger_service:service_manager find;
# Allow client domain to do binder IPC to serverdomain.
binder_call(automotive_display, surfaceflinger)
binder_call(automotive_display_service, surfaceflinger)
# Allow to use a graphics mapper
allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find;
# Allow to use hidl token service
allow automotive_display_service hidl_token_hwservice:hwservice_manager find;

View file

@ -1 +0,0 @@
add_hwservice(automotive_display, fwk_automotive_display_hwservice)

View file

@ -16,8 +16,8 @@
app_integrity_service
app_search_service
auth_service
automotive_display
automotive_display_exec
automotive_display_service
automotive_display_service_exec
ashmem_libcutils_device
blob_store_service
binder_cache_bluetooth_server_prop

View file

@ -346,7 +346,7 @@
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
#############################
# Vendor files

View file

@ -1,10 +1,10 @@
android.frameworks.automotive.display::IAutomotiveDisplayProxyService u:object_r:fwk_automotive_display_hwservice:s0
android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0
android.frameworks.automotive.display::ICarWindowService u:object_r:fwk_automotive_display_hwservice:s0
android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0

View file

@ -6,5 +6,10 @@ hal_server_domain(hal_evs_default, hal_evs)
type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_evs_default)
allow hal_evs_default hal_graphics_allocator_default:fd use;
allow hal_evs_default hal_graphics_allocator_server:fd use;
# allow to use surface flinger
allow hal_evs_default automotive_display_service_server:fd use;
# allow to use automotive display service
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;