From 17b38d526db6e19f9d128196463c03c03ca27974 Mon Sep 17 00:00:00 2001 From: Changyeon Jo Date: Fri, 7 Feb 2020 00:57:16 +0000 Subject: [PATCH] Update automotive display service rules This change updates sepolicies for automotive display service to make it available to the vendor processes. Bug: 149017572 Test: m -j selinux_policy Change-Id: I48708fe25e260f9302e02749c3777c0ca0d84e4b Signed-off-by: Changyeon Jo --- private/automotive_display_service.te | 31 ++++++++++++++------ private/automotive_display_service_server.te | 1 - private/compat/29.0/29.0.ignore.cil | 4 +-- private/file_contexts | 2 +- private/hwservice_contexts | 2 +- vendor/hal_evs_default.te | 7 ++++- 6 files changed, 32 insertions(+), 15 deletions(-) delete mode 100644 private/automotive_display_service_server.te diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te index e397d1047..fa11ca424 100644 --- a/private/automotive_display_service.te +++ b/private/automotive_display_service.te @@ -1,20 +1,33 @@ -# Display service for Automotive -type automotive_display, domain, coredomain; -type automotive_display_exec, system_file_type, exec_type, file_type; +# Display proxy service for Automotive +type automotive_display_service, domain, coredomain; +type automotive_display_service_exec, system_file_type, exec_type, file_type; -init_daemon_domain(automotive_display) +typeattribute automotive_display_service automotive_display_service_server; + +# Allow to add a display service to the manager +add_hwservice(automotive_display_service, fwk_automotive_display_hwservice); + +# Allow init to launch automotive display service +init_daemon_domain(automotive_display_service) # Allow to use Binder IPC for SurfaceFlinger. -binder_use(automotive_display) +binder_use(automotive_display_service) # Allow to use HwBinder IPC for HAL implementations. -hwbinder_use(automotive_display) +hwbinder_use(automotive_display_service) +hal_client_domain(automotive_display_service, hal_graphics_composer) # Allow to read the target property. -get_prop(automotive_display, hwservicemanager_prop) +get_prop(automotive_display_service, hwservicemanager_prop) # Allow to find SurfaceFlinger. -allow automotive_display surfaceflinger_service:service_manager find; +allow automotive_display_service surfaceflinger_service:service_manager find; # Allow client domain to do binder IPC to serverdomain. -binder_call(automotive_display, surfaceflinger) +binder_call(automotive_display_service, surfaceflinger) + +# Allow to use a graphics mapper +allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find; + +# Allow to use hidl token service +allow automotive_display_service hidl_token_hwservice:hwservice_manager find; diff --git a/private/automotive_display_service_server.te b/private/automotive_display_service_server.te deleted file mode 100644 index a916de8af..000000000 --- a/private/automotive_display_service_server.te +++ /dev/null @@ -1 +0,0 @@ -add_hwservice(automotive_display, fwk_automotive_display_hwservice) diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index 31582fa1d..125b08c5d 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -16,8 +16,8 @@ app_integrity_service app_search_service auth_service - automotive_display - automotive_display_exec + automotive_display_service + automotive_display_service_exec ashmem_libcutils_device blob_store_service binder_cache_bluetooth_server_prop diff --git a/private/file_contexts b/private/file_contexts index 557321ed4..9da83a9be 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -346,7 +346,7 @@ /system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0 /system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0 /system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0 -/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_exec:s0 +/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0 ############################# # Vendor files diff --git a/private/hwservice_contexts b/private/hwservice_contexts index b2cad3f1e..9c471bc22 100644 --- a/private/hwservice_contexts +++ b/private/hwservice_contexts @@ -1,10 +1,10 @@ +android.frameworks.automotive.display::IAutomotiveDisplayProxyService u:object_r:fwk_automotive_display_hwservice:s0 android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0 android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0 android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0 android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0 android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0 android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0 -android.frameworks.automotive.display::ICarWindowService u:object_r:fwk_automotive_display_hwservice:s0 android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0 android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0 android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0 diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te index b927f1e54..57a0299be 100644 --- a/vendor/hal_evs_default.te +++ b/vendor/hal_evs_default.te @@ -6,5 +6,10 @@ hal_server_domain(hal_evs_default, hal_evs) type hal_evs_default_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_evs_default) -allow hal_evs_default hal_graphics_allocator_default:fd use; +allow hal_evs_default hal_graphics_allocator_server:fd use; +# allow to use surface flinger +allow hal_evs_default automotive_display_service_server:fd use; + +# allow to use automotive display service +allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;