Merge "VR: Add sepolicy for VR HWC service" into oc-dev am: ed82acb912
am: 888bc0bbee
Change-Id: Ic14649c9ecba4879547300030717e2176ce8ca53
This commit is contained in:
Daniel Nicoara
android-build-merger
commit
24c6334cc8
9 changed files with 41 additions and 8 deletions
|
|
@ -256,6 +256,7 @@
|
|||
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
|
||||
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
|
||||
|
||||
#############################
|
||||
# Vendor files
|
||||
|
|
|
|||
|
|
@ -158,6 +158,7 @@ vibrator u:object_r:vibrator_service:s0
|
|||
virtual_touchpad u:object_r:virtual_touchpad_service:s0
|
||||
voiceinteraction u:object_r:voiceinteraction_service:s0
|
||||
vr_window_manager u:object_r:vr_window_manager_service:s0
|
||||
vr_hwc u:object_r:vr_hwc_service:s0
|
||||
vrmanager u:object_r:vr_manager_service:s0
|
||||
wallpaper u:object_r:wallpaper_service:s0
|
||||
webviewupdate u:object_r:webviewupdate_service:s0
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ binder_call(system_app, incidentd)
|
|||
|
||||
allow system_app servicemanager:service_manager list;
|
||||
# TODO: scope this down? Too broad?
|
||||
allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service }:service_manager find;
|
||||
allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
|
||||
|
||||
allow system_app keystore:keystore_key {
|
||||
get_state
|
||||
|
|
|
|||
4
private/vr_hwc.te
Normal file
4
private/vr_hwc.te
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
typeattribute vr_hwc coredomain;
|
||||
|
||||
# Daemon started by init.
|
||||
init_daemon_domain(vr_hwc)
|
||||
|
|
@ -170,7 +170,7 @@ userdebug_or_eng(`
|
|||
allow dumpstate misc_logd_file:file r_file_perms;
|
||||
')
|
||||
|
||||
allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service }:service_manager find;
|
||||
allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
|
||||
allow dumpstate servicemanager:service_manager list;
|
||||
|
||||
allow dumpstate devpts:chr_file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ type system_app_service, service_manager_type;
|
|||
type update_engine_service, service_manager_type;
|
||||
type virtual_touchpad_service, service_manager_type;
|
||||
type vr_window_manager_service, service_manager_type;
|
||||
type vr_hwc_service, service_manager_type;
|
||||
|
||||
# system_server_services broken down
|
||||
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
|
|
|
|||
|
|
@ -82,7 +82,7 @@ allow shell servicemanager:service_manager list;
|
|||
# don't allow shell to access GateKeeper service
|
||||
# TODO: why is this so broad? Tightening candidate? It needs at list:
|
||||
# - dumpstate_service (so it can receive dumpstate progress updates)
|
||||
allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service }:service_manager find;
|
||||
allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
|
||||
allow shell dumpstate:binder call;
|
||||
|
||||
# allow shell to get information from hwservicemanager
|
||||
|
|
|
|||
29
public/vr_hwc.te
Normal file
29
public/vr_hwc.te
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
type vr_hwc, domain;
|
||||
type vr_hwc_exec, exec_type, file_type;
|
||||
|
||||
# Get buffer metadata.
|
||||
hal_client_domain(vr_hwc, hal_graphics_allocator)
|
||||
|
||||
binder_use(vr_hwc)
|
||||
binder_service(vr_hwc)
|
||||
|
||||
binder_call(vr_hwc, surfaceflinger)
|
||||
binder_call(vr_hwc, vr_wm)
|
||||
|
||||
add_service(vr_hwc, vr_hwc_service)
|
||||
|
||||
# Hosts the VR HWC implementation and provides a simple Binder interface for VR
|
||||
# Window Manager to receive the layers/buffers.
|
||||
hwbinder_use(vr_hwc)
|
||||
|
||||
# Load vendor libraries.
|
||||
allow vr_hwc system_file:dir r_dir_perms;
|
||||
|
||||
allow vr_hwc ion_device:chr_file r_file_perms;
|
||||
|
||||
# Allow connection to VR DisplayClient to get the primary display metadata
|
||||
# (ie: size).
|
||||
use_pdx(vr_hwc, surfaceflinger)
|
||||
|
||||
# Limit access so only vr_wm can connect.
|
||||
neverallow { domain -vr_hwc -vr_wm } vr_hwc_service:service_manager find;
|
||||
|
|
@ -4,18 +4,15 @@ type vr_wm_exec, exec_type, file_type;
|
|||
hal_client_domain(vr_wm, hal_graphics_allocator)
|
||||
|
||||
binder_use(vr_wm)
|
||||
binder_call(vr_wm, surfaceflinger)
|
||||
binder_call(vr_wm, virtual_touchpad)
|
||||
binder_call(vr_wm, vr_hwc)
|
||||
|
||||
allow vr_wm virtual_touchpad_service:service_manager find;
|
||||
allow vr_wm vr_hwc_service:service_manager find;
|
||||
|
||||
binder_service(vr_wm)
|
||||
add_service(vr_wm, vr_window_manager_service)
|
||||
|
||||
# Hosts the VR HWC implementation and provides a simple Binder interface for VR
|
||||
# Window Manager to receive the layers/buffers.
|
||||
hwbinder_use(vr_wm)
|
||||
|
||||
# Load vendor libraries.
|
||||
allow vr_wm system_file:dir r_dir_perms;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue