SEPolicy rules for CAN bus HAL am: 602b30302a am: 0540154021 am: 2f0ee4345f

am: ce9863e755

Change-Id: Ie9209450d3fdf6c095184067e5acc1097358ff3e
This commit is contained in:
Tomasz Wasilczyk 2019-08-01 20:09:07 -07:00 committed by android-build-merger
commit b94bb81337
8 changed files with 46 additions and 0 deletions

View file

@ -10,6 +10,8 @@
platform_compat_service
ctl_apexd_prop
device_config_sys_traced_prop
hal_can_bus_hwservice
hal_can_controller_hwservice
ota_metadata_file
runtime_apex_dir
system_ashmem_hwservice

View file

@ -9,6 +9,8 @@ android.hardware.audio.effect::IEffectsFactory u:object_r:hal_a
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
android.hardware.automotive.can::ICanController u:object_r:hal_can_controller_hwservice:s0
android.hardware.automotive.can::ICanBus u:object_r:hal_can_bus_hwservice:s0
android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0

View file

@ -251,6 +251,8 @@ hal_attribute(bootctl);
hal_attribute(bufferhub);
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(can_bus);
hal_attribute(can_controller);
hal_attribute(cas);
hal_attribute(codec2);
hal_attribute(configstore);

9
public/hal_can.te Normal file
View file

@ -0,0 +1,9 @@
# CAN controller
binder_call(hal_can_controller_client, hal_can_controller_server)
add_hwservice(hal_can_controller_server, hal_can_controller_hwservice)
allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
# CAN bus
binder_call(hal_can_bus_client, hal_can_bus_server)
add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;

View file

@ -3,6 +3,7 @@
neverallow {
halserverdomain
-hal_bluetooth_server
-hal_can_controller_server
-hal_wifi_server
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
@ -18,6 +19,7 @@ neverallow {
neverallow {
halserverdomain
-hal_automotive_socket_exemption
-hal_can_controller_server
-hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_hostapd_server

View file

@ -13,6 +13,8 @@ type hal_bluetooth_hwservice, hwservice_manager_type;
type hal_bootctl_hwservice, hwservice_manager_type;
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
type hal_can_bus_hwservice, hwservice_manager_type;
type hal_can_controller_hwservice, hwservice_manager_type;
type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
type hal_confirmationui_hwservice, hwservice_manager_type;

View file

@ -4,6 +4,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0

26
vendor/hal_can_socketcan.te vendored Normal file
View file

@ -0,0 +1,26 @@
type hal_can_socketcan, domain;
hal_server_domain(hal_can_socketcan, hal_can_controller)
hal_server_domain(hal_can_socketcan, hal_can_bus)
type hal_can_socketcan_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_can_socketcan)
# Managing SocketCAN interfaces
allow hal_can_socketcan self:capability net_admin;
allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
# Calling if_nametoindex(3) to open CAN sockets
allow hal_can_socketcan self:udp_socket { create ioctl };
allowxperm hal_can_socketcan self:udp_socket ioctl {
SIOCGIFINDEX
};
# Communicating with SocketCAN interfaces and bringing them up/down
allow hal_can_socketcan self:can_socket { bind create read write ioctl };
allowxperm hal_can_socketcan self:can_socket ioctl {
SIOCGIFFLAGS
SIOCSIFFLAGS
};
# Un-publishing ICanBus interfaces
allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;