platform_system_sepolicy/public/bufferhubd.te
Alex Vakulenko 41daa7f859 SELinux policies for PDX services
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
2017-05-10 16:39:19 -07:00

20 lines
704 B
Text

# bufferhubd
type bufferhubd, domain, mlstrustedsubject;
type bufferhubd_exec, exec_type, file_type;
hal_client_domain(bufferhubd, hal_graphics_allocator)
pdx_server(bufferhubd, bufferhub_client)
pdx_client(bufferhubd, performance_client)
# Access the GPU.
allow bufferhubd gpu_device:chr_file rw_file_perms;
# Access /dev/ion
allow bufferhubd ion_device:chr_file r_file_perms;
# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd mediacodec:fd use;