Move sensord sepolicy
Sensord move in ag/2106763 should be accompanied by corresponding sepolicy move of sensord-related files/declarations. Bug: 36996994 Test: Sailfish build shows no related permission errors Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d
This commit is contained in:
Luke Song
parent
7e6176400b
commit
2dd9ae33f7
8 changed files with 2 additions and 44 deletions
|
|
@ -300,8 +300,6 @@ allow appdomain app_fuse_file:file { getattr read append write };
|
|||
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
|
||||
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
|
||||
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
|
||||
pdx_client({ appdomain -isolated_app -ephemeral_app }, sensors_client)
|
||||
pdx_client({ appdomain -isolated_app -ephemeral_app }, pose_client)
|
||||
pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
|
||||
# Apps do not directly open the IPC socket for bufferhubd.
|
||||
pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
|
||||
|
|
|
|||
|
|
@ -134,10 +134,6 @@
|
|||
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
|
||||
/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/vr/sensors u:object_r:pdx_sensors_dir:s0
|
||||
/dev/socket/pdx/system/vr/sensors/client u:object_r:pdx_sensors_client_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/vr/pose u:object_r:pdx_pose_dir:s0
|
||||
/dev/socket/pdx/system/vr/pose/client u:object_r:pdx_pose_client_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
|
||||
/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
|
||||
|
|
@ -198,7 +194,6 @@
|
|||
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
|
||||
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
|
||||
/system/bin/performanced u:object_r:performanced_exec:s0
|
||||
/system/bin/sensord u:object_r:sensord_exec:s0
|
||||
/system/bin/drmserver u:object_r:drmserver_exec:s0
|
||||
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
|
||||
/system/bin/incident u:object_r:incident_exec:s0
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute sensord coredomain;
|
||||
|
||||
init_daemon_domain(sensord)
|
||||
|
|
@ -98,8 +98,6 @@ pdx_server(surfaceflinger, display_vsync)
|
|||
|
||||
pdx_client(surfaceflinger, bufferhub_client)
|
||||
pdx_client(surfaceflinger, performance_client)
|
||||
pdx_client(surfaceflinger, sensors_client)
|
||||
pdx_client(surfaceflinger, pose_client)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
|
|
|||
|
|
@ -164,8 +164,6 @@ pdx_service_attributes(display_manager)
|
|||
pdx_service_attributes(display_screenshot)
|
||||
pdx_service_attributes(display_vsync)
|
||||
pdx_service_attributes(performance_client)
|
||||
pdx_service_attributes(sensors_client)
|
||||
pdx_service_attributes(pose_client);
|
||||
pdx_service_attributes(bufferhub_client)
|
||||
|
||||
# All HAL servers
|
||||
|
|
|
|||
|
|
@ -283,8 +283,6 @@ type gps_control, file_type;
|
|||
# PDX endpoint types
|
||||
type pdx_display_dir, pdx_endpoint_dir_type, file_type;
|
||||
type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
|
||||
type pdx_sensors_dir, pdx_endpoint_dir_type, file_type;
|
||||
type pdx_pose_dir, pdx_endpoint_dir_type, file_type;
|
||||
type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
|
||||
|
||||
pdx_service_socket_types(display_client, pdx_display_dir)
|
||||
|
|
@ -292,8 +290,6 @@ pdx_service_socket_types(display_manager, pdx_display_dir)
|
|||
pdx_service_socket_types(display_screenshot, pdx_display_dir)
|
||||
pdx_service_socket_types(display_vsync, pdx_display_dir)
|
||||
pdx_service_socket_types(performance_client, pdx_performance_dir)
|
||||
pdx_service_socket_types(sensors_client, pdx_sensors_dir)
|
||||
pdx_service_socket_types(pose_client, pdx_pose_dir)
|
||||
pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
|
||||
|
||||
# file_contexts files
|
||||
|
|
|
|||
|
|
@ -10,9 +10,9 @@ allow performanced self:capability { setuid setgid sys_nice };
|
|||
# Access /proc to validate we're only affecting threads in the same thread group.
|
||||
# Performanced also shields unbound kernel threads. It scans every task in the
|
||||
# root cpu set, but only affects the kernel threads.
|
||||
r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger })
|
||||
r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
|
||||
dontaudit performanced domain:dir read;
|
||||
allow performanced { appdomain bufferhubd kernel sensord surfaceflinger }:process setsched;
|
||||
allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
|
||||
|
||||
# Access /dev/cpuset/cpuset.cpus
|
||||
r_dir_file(performanced, cgroup)
|
||||
|
|
|
|||
|
|
@ -1,24 +0,0 @@
|
|||
# sensord
|
||||
type sensord, domain, mlstrustedsubject;
|
||||
type sensord_exec, exec_type, file_type;
|
||||
|
||||
hal_client_domain(sensord, hal_graphics_allocator)
|
||||
allow sensord hal_graphics_allocator:fd use;
|
||||
|
||||
pdx_server(sensord, sensors_client)
|
||||
pdx_server(sensord, pose_client)
|
||||
pdx_client(sensord, bufferhub_client)
|
||||
pdx_client(sensord, performance_client)
|
||||
|
||||
# Access /dev/ion
|
||||
allow sensord ion_device:chr_file r_file_perms;
|
||||
|
||||
allow sensord sensors_device:chr_file rw_file_perms;
|
||||
|
||||
binder_use(sensord)
|
||||
binder_call(sensord, system_server)
|
||||
allow sensord system_server:unix_stream_socket { read write };
|
||||
|
||||
allow sensord sensorservice_service:service_manager find;
|
||||
# permission_service is used by the NDK sensor APIs.
|
||||
allow sensord permission_service:service_manager find;
|
||||
Loading…
Reference in a new issue