tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add atrace HAL 1.0 sepolicy

Browse source 
Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e43)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
This commit is contained in:
Wei Wang 2018-09-19 16:06:28 -07:00
parent 5e37271df8
commit bc71a6109e
13 changed files with 33 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/app_neverallows.te
View file

@ -195,6 +195,7 @@ neverallow all_untrusted_apps {
# Make sure that the following services are never accessible by untrusted_apps # Make sure that the following services are never accessible by untrusted_apps
neverallow all_untrusted_apps { neverallow all_untrusted_apps {
default_android_hwservice default_android_hwservice
hal_atrace_hwservice
hal_audio_hwservice hal_audio_hwservice
hal_authsecret_hwservice hal_authsecret_hwservice
hal_bluetooth_hwservice hal_bluetooth_hwservice

3
private/atrace.te
View file

@ -26,6 +26,9 @@ allow atrace system_server:binder call;
get_prop(atrace, hwservicemanager_prop) get_prop(atrace, hwservicemanager_prop)
# atrace can call atrace HAL
hal_client_domain(atrace, hal_atrace)
allow atrace { allow atrace {
service_manager_type service_manager_type
-incident_service -incident_service

1
private/compat/26.0/26.0.ignore.cil
View file

@ -57,6 +57,7 @@
fastbootd fastbootd
fingerprint_vendor_data_file fingerprint_vendor_data_file
fs_bpf fs_bpf
hal_atrace_hwservice
hal_audiocontrol_hwservice hal_audiocontrol_hwservice
hal_authsecret_hwservice hal_authsecret_hwservice
hal_broadcastradio_hwservice hal_broadcastradio_hwservice

1
private/compat/27.0/27.0.ignore.cil
View file

@ -53,6 +53,7 @@
fastbootd fastbootd
fingerprint_vendor_data_file fingerprint_vendor_data_file
fs_bpf fs_bpf
hal_atrace_hwservice
hal_audiocontrol_hwservice hal_audiocontrol_hwservice
hal_authsecret_hwservice hal_authsecret_hwservice
hal_codec2_hwservice hal_codec2_hwservice

1
private/compat/28.0/28.0.ignore.cil
View file

@ -11,6 +11,7 @@
buffer_hub_service buffer_hub_service
fastbootd fastbootd
color_display_service color_display_service
hal_atrace_hwservice
hal_health_storage_hwservice hal_health_storage_hwservice
hal_system_suspend_default hal_system_suspend_default
hal_system_suspend_default_exec hal_system_suspend_default_exec

1
private/hwservice_contexts
View file

@ -1,6 +1,7 @@
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0 android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0 android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0 android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0 android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0 android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0 android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0

3
private/shell.te
View file

@ -54,3 +54,6 @@ allow shell perfetto_traces_data_file:file r_file_perms;
# Allow shell-based "dumpsys" to call into bufferhubd. # Allow shell-based "dumpsys" to call into bufferhubd.
binder_call(shell, bufferhubd); binder_call(shell, bufferhubd);
# Allow shell to use atrace HAL
hal_client_domain(shell, hal_atrace)

1
public/attributes
View file

@ -242,6 +242,7 @@ attribute hal_automotive_socket_exemption;
# HALs # HALs
hal_attribute(allocator); hal_attribute(allocator);
hal_attribute(atrace);
hal_attribute(audio); hal_attribute(audio);
hal_attribute(audiocontrol); hal_attribute(audiocontrol);
hal_attribute(authsecret); hal_attribute(authsecret);

4
public/hal_atrace.te Normal file
View file

@ -0,0 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_atrace_client, hal_atrace_server)
hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)

1
public/hwservice.te
View file

@ -2,6 +2,7 @@ type default_android_hwservice, hwservice_manager_type;
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice; type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice; type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice; type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
type hal_atrace_hwservice, hwservice_manager_type;
type hal_audiocontrol_hwservice, hwservice_manager_type; type hal_audiocontrol_hwservice, hwservice_manager_type;
type hal_audio_hwservice, hwservice_manager_type; type hal_audio_hwservice, hwservice_manager_type;
type hal_authsecret_hwservice, hwservice_manager_type; type hal_authsecret_hwservice, hwservice_manager_type;

1
public/su.te
View file

@ -58,6 +58,7 @@ userdebug_or_eng(`
# permission to interact with it. # permission to interact with it.
typeattribute su halclientdomain; typeattribute su halclientdomain;
typeattribute su hal_allocator_client; typeattribute su hal_allocator_client;
typeattribute su hal_atrace_client;
typeattribute su hal_audio_client; typeattribute su hal_audio_client;
typeattribute su hal_authsecret_client; typeattribute su hal_authsecret_client;
typeattribute su hal_bluetooth_client; typeattribute su hal_bluetooth_client;

1
vendor/file_contexts vendored
View file

@ -1,6 +1,7 @@
############################# #############################
# Default HALs # Default HALs
# #
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service u:object_r:hal_evs_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service u:object_r:hal_evs_default_exec:s0

14
vendor/hal_atrace_default.te vendored Normal file
View file

@ -0,0 +1,14 @@
type hal_atrace_default, domain;
hal_server_domain(hal_atrace_default, hal_atrace)
type hal_atrace_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_atrace_default)
# Allow atrace HAL to access tracefs.
allow hal_atrace_default debugfs_tracing:dir r_dir_perms;
allow hal_atrace_default debugfs_tracing:file rw_file_perms;
userdebug_or_eng(`
allow hal_atrace_default debugfs_tracing_debug:dir r_dir_perms;
allow hal_atrace_default debugfs_tracing_debug:file rw_file_perms;
')