diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te index c909986c7..db20696a6 100644 --- a/private/automotive_display_service.te +++ b/private/automotive_display_service.te @@ -39,3 +39,6 @@ allow automotive_display_service gpu_device:dir search; # Allow to add a service to the servicemanager add_service(automotive_display_service, fwk_automotive_display_service); + +# Allow to communicate with EVS services +binder_call(automotive_display_service, hal_evs) diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil index f1307ad44..d146ae3f6 100644 --- a/private/compat/32.0/32.0.ignore.cil +++ b/private/compat/32.0/32.0.ignore.cil @@ -19,12 +19,15 @@ diced diced_exec fwk_automotive_display_service + evsmanagerd + evsmanagerd_service extra_free_kbytes extra_free_kbytes_exec fs_bpf_vendor gesture_prop hal_contexthub_service hal_camera_service + hal_evs_service hal_dice_service hal_drm_service hal_dumpstate_service diff --git a/private/evsmanagerd.te b/private/evsmanagerd.te new file mode 100644 index 000000000..37726287f --- /dev/null +++ b/private/evsmanagerd.te @@ -0,0 +1,39 @@ +# evsmanager +typeattribute evsmanagerd coredomain; +typeattribute evsmanagerd evsmanager_service_server; + +type evsmanagerd_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(evsmanagerd); + +# Declares as a binder service +binder_service(evsmanagerd) + +# Allows to add a service to service_manager +add_service(evsmanagerd, evsmanagerd_service) + +# Allows to use the binder IPC +binder_use(evsmanagerd) + +# Allows binder IPCs to the various system services +binder_call(evsmanagerd, system_server) + +# Allows to use EVS HAL implementations +hal_client_domain(evsmanagerd, hal_evs) + +# Allows to write messages to the shell +allow evsmanagerd shell:fd use; +allow evsmanagerd shell:fifo_file write; + +# Allows to use the graphics allocator +allow evsmanagerd hal_graphics_allocator:fd use; + +# Allows to use a bootstrap statsd +allow evsmanagerd statsbootstrap_service:service_manager find; + +# Allows binder IPCs to the CarService +binder_call(evsmanagerd, appdomain) + +# For HIDL evs manager implementation +allow evsmanagerd hal_evs_hwservice:hwservice_manager add; +allow evsmanagerd hidl_base_hwservice:hwservice_manager add; diff --git a/private/file_contexts b/private/file_contexts index ba5037695..fabbf2b37 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -377,6 +377,8 @@ /system/bin/odsign u:object_r:odsign_exec:s0 /system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0 /system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0 +/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0 +/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0 ############################# # Vendor files diff --git a/private/service_contexts b/private/service_contexts index 7075f4d47..4fb4b2972 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -1,4 +1,6 @@ android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0 +android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0 +android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0 android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0 android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0 android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0 @@ -75,6 +77,7 @@ aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0 aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0 aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0 alarm u:object_r:alarm_service:s0 +android.hardware.automotive.evs.IEvsEnumerator/default u:object_r:evsmanagerd_service:s0 android.os.UpdateEngineService u:object_r:update_engine_service:s0 android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0 android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_automotive_display_service:s0 diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index 1c7f657af..bc7543b18 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -125,6 +125,9 @@ allow surfaceflinger statsmanager_service:service_manager find; # TODO(146461633): remove this once native pullers talk to StatsManagerService binder_call(surfaceflinger, statsd); +# Allow to use files supplied by hal_evs +allow surfaceflinger hal_evs:fd use; + # Allow pushing jank event atoms to statsd userdebug_or_eng(` unix_socket_send(surfaceflinger, statsdw, statsd) diff --git a/public/attributes b/public/attributes index 73861bdf4..4db8ba13d 100644 --- a/public/attributes +++ b/public/attributes @@ -398,6 +398,7 @@ hal_attribute(wifi_supplicant); attribute automotive_display_service_server; attribute camera_service_server; attribute display_service_server; +attribute evsmanager_service_server; attribute scheduler_service_server; attribute sensor_service_server; attribute stats_service_server; diff --git a/public/evsmanagerd.te b/public/evsmanagerd.te new file mode 100644 index 000000000..cde0380cc --- /dev/null +++ b/public/evsmanagerd.te @@ -0,0 +1,2 @@ +# evsmanager daemon +type evsmanagerd, domain; diff --git a/public/hal_evs.te b/public/hal_evs.te index 789333af7..09a40d80e 100644 --- a/public/hal_evs.te +++ b/public/hal_evs.te @@ -1,5 +1,15 @@ hwbinder_use(hal_evs_client) hwbinder_use(hal_evs_server) + binder_call(hal_evs_client, hal_evs_server) binder_call(hal_evs_server, hal_evs_client) -hal_attribute_hwservice(hal_evs, hal_evs_hwservice) + +# Below lines are equivalent to hal_attribute_hwservice(hal_evs, hal_evs_hwservice) +# except it allows evsmanagerd to add hal_evs_hwservice. +allow hal_evs_client hal_evs_hwservice:hwservice_manager find; +allow hal_evs_server hal_evs_hwservice:hwservice_manager { add find }; +allow hal_evs_server hidl_base_hwservice:hwservice_manager add; +neverallow { domain -hal_evs_server -evsmanagerd } hal_evs_hwservice:hwservice_manager add; + +# Allows to add a service +hal_attribute_service(hal_evs, hal_evs_service) diff --git a/public/service.te b/public/service.te index 46eaff17a..8c4ae5665 100644 --- a/public/service.te +++ b/public/service.te @@ -13,6 +13,7 @@ type dice_node_service, service_manager_type; type dnsresolver_service, service_manager_type; type drmserver_service, service_manager_type; type dumpstate_service, service_manager_type; +type evsmanagerd_service, service_manager_type; type fingerprintd_service, service_manager_type; type fwk_automotive_display_service, service_manager_type; type gatekeeper_service, app_api_service, service_manager_type; @@ -273,6 +274,7 @@ type hal_contexthub_service, vendor_service, protected_service, service_manager_ type hal_dice_service, vendor_service, protected_service, service_manager_type; type hal_drm_service, vendor_service, service_manager_type; type hal_dumpstate_service, vendor_service, protected_service, service_manager_type; +type hal_evs_service, vendor_service, protected_service, service_manager_type; type hal_face_service, vendor_service, protected_service, service_manager_type; type hal_fingerprint_service, vendor_service, protected_service, service_manager_type; type hal_gnss_service, vendor_service, protected_service, service_manager_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 762cf2089..4faa05af5 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -8,7 +8,7 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0 diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te index 57a0299be..d1d4559ef 100644 --- a/vendor/hal_evs_default.te +++ b/vendor/hal_evs_default.te @@ -6,10 +6,19 @@ hal_server_domain(hal_evs_default, hal_evs) type hal_evs_default_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_evs_default) -allow hal_evs_default hal_graphics_allocator_server:fd use; - -# allow to use surface flinger -allow hal_evs_default automotive_display_service_server:fd use; +# allow to use a graphic buffer +hal_client_domain(hal_evs_default, hal_configstore) +hal_client_domain(hal_evs_default, hal_graphics_allocator) +hal_client_domain(hal_evs_default, hal_graphics_composer) # allow to use automotive display service +binder_call(hal_evs_default, automotive_display_service_server) allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find; + +# allow to access EGL +allow hal_evs_default gpu_device:chr_file rw_file_perms; +allow hal_evs_default gpu_device:dir search; + +# allow to monitor uevents and access video devices +allow hal_evs_default device:dir r_dir_perms; +allow hal_evs_default video_device:chr_file rw_file_perms;