Remove hal_light from system_server domain
HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.
Test: Boot sailfish, adjust screen brightness from the system UI, no
SELinux denials for system_server to do with sysfs_leds.
Bug: 34715716
Change-Id: Iccb4224d770583e3c38930e8562723d57d283077
This commit is contained in:
Alex Klyubin
parent
a7653ee2ed
commit
384a73deb2
1 changed files with 7 additions and 3 deletions
|
|
@ -4,9 +4,6 @@
|
|||
#
|
||||
type system_server, domain, domain_deprecated, mlstrustedsubject;
|
||||
|
||||
# Attributes for passthrough hals
|
||||
typeattribute system_server hal_light;
|
||||
|
||||
# For art.
|
||||
allow system_server dalvikcache_data_file:dir r_dir_perms;
|
||||
allow system_server dalvikcache_data_file:file { r_file_perms execute };
|
||||
|
|
@ -610,6 +607,13 @@ r_dir_file(system_server, sysfs_type)
|
|||
# Allow system_server to make binder calls to hwservicemanager
|
||||
binder_call(system_server, hwservicemanager)
|
||||
|
||||
### Rules needed when Light HAL runs inside system_server process.
|
||||
### These rules should eventually be granted only when needed.
|
||||
allow system_server sysfs_leds:lnk_file read;
|
||||
allow system_server sysfs_leds:file rw_file_perms;
|
||||
allow system_server sysfs_leds:dir r_dir_perms;
|
||||
###
|
||||
|
||||
userdebug_or_eng(`
|
||||
# Allow WifiService to start, stop, and read wifi-specific trace events.
|
||||
allow system_server debugfs_tracing_instances:dir search;
|
||||
|
|
|
|||
Loading…
Reference in a new issue