tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge changes If936c556,Ief48165c

Browse source 
* changes:
  Add permissions required for new DMA-BUF heap allocator
  Define a new selinux label for DMABUF system heap
This commit is contained in:
Treehugger Robot 2020-09-21 17:59:16 +00:00 committed by Gerrit Code Review
commit 714e134b25
6 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/compat/30.0/30.0.ignore.cil
View file

@ -9,6 +9,7 @@
apex_info_file
cgroup_v2
debugfs_kprobes
dmabuf_system_heap_device
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
hal_fingerprint_service

1
private/file_contexts
View file

@ -92,6 +92,7 @@
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0

3
private/system_server.te
View file

@ -933,6 +933,9 @@ allow system_server ion_device:chr_file r_file_perms;
allow system_server cgroup_v2:dir rw_dir_perms;
allow system_server cgroup_v2:file rw_file_perms;
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)

1
public/app.te
View file

@ -308,6 +308,7 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
# Allow AAudio apps to use shared memory file descriptors from the HAL
allow { appdomain -isolated_app } hal_audio:fd use;

1
public/device.te
View file

@ -44,6 +44,7 @@ type zero_device, dev_type, mlstrustedobject;
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
type dmabuf_system_heap_device, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type;

1
public/mediaswcodec.te
View file

@ -23,3 +23,4 @@ neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;