Merge changes from topic "EVS_sepolicy_updates_T"
* changes: Updates sepolicy for EVS HAL Adds a sepolicy for EVS manager service
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
2cedd28cf9
12 changed files with 83 additions and 6 deletions
|
|
@ -39,3 +39,6 @@ allow automotive_display_service gpu_device:dir search;
|
|||
|
||||
# Allow to add a service to the servicemanager
|
||||
add_service(automotive_display_service, fwk_automotive_display_service);
|
||||
|
||||
# Allow to communicate with EVS services
|
||||
binder_call(automotive_display_service, hal_evs)
|
||||
|
|
|
|||
|
|
@ -19,12 +19,15 @@
|
|||
diced
|
||||
diced_exec
|
||||
fwk_automotive_display_service
|
||||
evsmanagerd
|
||||
evsmanagerd_service
|
||||
extra_free_kbytes
|
||||
extra_free_kbytes_exec
|
||||
fs_bpf_vendor
|
||||
gesture_prop
|
||||
hal_contexthub_service
|
||||
hal_camera_service
|
||||
hal_evs_service
|
||||
hal_dice_service
|
||||
hal_drm_service
|
||||
hal_dumpstate_service
|
||||
|
|
|
|||
39
private/evsmanagerd.te
Normal file
39
private/evsmanagerd.te
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
# evsmanager
|
||||
typeattribute evsmanagerd coredomain;
|
||||
typeattribute evsmanagerd evsmanager_service_server;
|
||||
|
||||
type evsmanagerd_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(evsmanagerd);
|
||||
|
||||
# Declares as a binder service
|
||||
binder_service(evsmanagerd)
|
||||
|
||||
# Allows to add a service to service_manager
|
||||
add_service(evsmanagerd, evsmanagerd_service)
|
||||
|
||||
# Allows to use the binder IPC
|
||||
binder_use(evsmanagerd)
|
||||
|
||||
# Allows binder IPCs to the various system services
|
||||
binder_call(evsmanagerd, system_server)
|
||||
|
||||
# Allows to use EVS HAL implementations
|
||||
hal_client_domain(evsmanagerd, hal_evs)
|
||||
|
||||
# Allows to write messages to the shell
|
||||
allow evsmanagerd shell:fd use;
|
||||
allow evsmanagerd shell:fifo_file write;
|
||||
|
||||
# Allows to use the graphics allocator
|
||||
allow evsmanagerd hal_graphics_allocator:fd use;
|
||||
|
||||
# Allows to use a bootstrap statsd
|
||||
allow evsmanagerd statsbootstrap_service:service_manager find;
|
||||
|
||||
# Allows binder IPCs to the CarService
|
||||
binder_call(evsmanagerd, appdomain)
|
||||
|
||||
# For HIDL evs manager implementation
|
||||
allow evsmanagerd hal_evs_hwservice:hwservice_manager add;
|
||||
allow evsmanagerd hidl_base_hwservice:hwservice_manager add;
|
||||
|
|
@ -377,6 +377,8 @@
|
|||
/system/bin/odsign u:object_r:odsign_exec:s0
|
||||
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
|
||||
/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
|
||||
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
|
||||
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
|
||||
|
||||
#############################
|
||||
# Vendor files
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
|
||||
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
|
||||
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
|
||||
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
|
||||
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
|
||||
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
|
||||
|
|
@ -75,6 +77,7 @@ aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
|
|||
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
|
||||
aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
|
||||
alarm u:object_r:alarm_service:s0
|
||||
android.hardware.automotive.evs.IEvsEnumerator/default u:object_r:evsmanagerd_service:s0
|
||||
android.os.UpdateEngineService u:object_r:update_engine_service:s0
|
||||
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
|
||||
android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_automotive_display_service:s0
|
||||
|
|
|
|||
|
|
@ -125,6 +125,9 @@ allow surfaceflinger statsmanager_service:service_manager find;
|
|||
# TODO(146461633): remove this once native pullers talk to StatsManagerService
|
||||
binder_call(surfaceflinger, statsd);
|
||||
|
||||
# Allow to use files supplied by hal_evs
|
||||
allow surfaceflinger hal_evs:fd use;
|
||||
|
||||
# Allow pushing jank event atoms to statsd
|
||||
userdebug_or_eng(`
|
||||
unix_socket_send(surfaceflinger, statsdw, statsd)
|
||||
|
|
|
|||
|
|
@ -398,6 +398,7 @@ hal_attribute(wifi_supplicant);
|
|||
attribute automotive_display_service_server;
|
||||
attribute camera_service_server;
|
||||
attribute display_service_server;
|
||||
attribute evsmanager_service_server;
|
||||
attribute scheduler_service_server;
|
||||
attribute sensor_service_server;
|
||||
attribute stats_service_server;
|
||||
|
|
|
|||
2
public/evsmanagerd.te
Normal file
2
public/evsmanagerd.te
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
# evsmanager daemon
|
||||
type evsmanagerd, domain;
|
||||
|
|
@ -1,5 +1,15 @@
|
|||
hwbinder_use(hal_evs_client)
|
||||
hwbinder_use(hal_evs_server)
|
||||
|
||||
binder_call(hal_evs_client, hal_evs_server)
|
||||
binder_call(hal_evs_server, hal_evs_client)
|
||||
hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
|
||||
|
||||
# Below lines are equivalent to hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
|
||||
# except it allows evsmanagerd to add hal_evs_hwservice.
|
||||
allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
|
||||
allow hal_evs_server hal_evs_hwservice:hwservice_manager { add find };
|
||||
allow hal_evs_server hidl_base_hwservice:hwservice_manager add;
|
||||
neverallow { domain -hal_evs_server -evsmanagerd } hal_evs_hwservice:hwservice_manager add;
|
||||
|
||||
# Allows to add a service
|
||||
hal_attribute_service(hal_evs, hal_evs_service)
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ type dice_node_service, service_manager_type;
|
|||
type dnsresolver_service, service_manager_type;
|
||||
type drmserver_service, service_manager_type;
|
||||
type dumpstate_service, service_manager_type;
|
||||
type evsmanagerd_service, service_manager_type;
|
||||
type fingerprintd_service, service_manager_type;
|
||||
type fwk_automotive_display_service, service_manager_type;
|
||||
type gatekeeper_service, app_api_service, service_manager_type;
|
||||
|
|
@ -273,6 +274,7 @@ type hal_contexthub_service, vendor_service, protected_service, service_manager_
|
|||
type hal_dice_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_drm_service, vendor_service, service_manager_type;
|
||||
type hal_dumpstate_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_evs_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_face_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
|
||||
|
|
|
|||
2
vendor/file_contexts
vendored
2
vendor/file_contexts
vendored
|
|
@ -8,7 +8,7 @@
|
|||
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
|
||||
|
|
|
|||
17
vendor/hal_evs_default.te
vendored
17
vendor/hal_evs_default.te
vendored
|
|
@ -6,10 +6,19 @@ hal_server_domain(hal_evs_default, hal_evs)
|
|||
type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_evs_default)
|
||||
|
||||
allow hal_evs_default hal_graphics_allocator_server:fd use;
|
||||
|
||||
# allow to use surface flinger
|
||||
allow hal_evs_default automotive_display_service_server:fd use;
|
||||
# allow to use a graphic buffer
|
||||
hal_client_domain(hal_evs_default, hal_configstore)
|
||||
hal_client_domain(hal_evs_default, hal_graphics_allocator)
|
||||
hal_client_domain(hal_evs_default, hal_graphics_composer)
|
||||
|
||||
# allow to use automotive display service
|
||||
binder_call(hal_evs_default, automotive_display_service_server)
|
||||
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
|
||||
|
||||
# allow to access EGL
|
||||
allow hal_evs_default gpu_device:chr_file rw_file_perms;
|
||||
allow hal_evs_default gpu_device:dir search;
|
||||
|
||||
# allow to monitor uevents and access video devices
|
||||
allow hal_evs_default device:dir r_dir_perms;
|
||||
allow hal_evs_default video_device:chr_file rw_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue