# HwBinder IPC from client to server, and callbacks binder_call(hal_cas_client, hal_cas_server) binder_call(hal_cas_server, hal_cas_client) add_hwservice(hal_cas_server, hal_cas_hwservice) allow hal_cas_client hal_cas_hwservice:hwservice_manager find; allow hal_cas_server hidl_memory_hwservice:hwservice_manager find; # Permit reading device's serial number from system properties get_prop(hal_cas, serialno_prop) # Read files already opened under /data allow hal_cas system_data_file:dir { search getattr }; allow hal_cas system_data_file:file { getattr read }; allow hal_cas system_data_file:lnk_file r_file_perms; # Read access to pseudo filesystems r_dir_file(hal_cas, cgroup) allow hal_cas cgroup:dir { search write }; allow hal_cas cgroup:file w_file_perms; # Allow access to ion memory allocation device allow hal_cas ion_device:chr_file rw_file_perms; allow hal_cas hal_graphics_allocator:fd use; allow hal_cas tee_device:chr_file rw_file_perms; ### ### neverallow rules ### # hal_cas should never execute any executable without a # domain transition neverallow hal_cas { file_type fs_type }:file execute_no_trans; # do not allow privileged socket ioctl commands neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;