75806ef3c5
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
24 lines
1.2 KiB
Text
24 lines
1.2 KiB
Text
# HwBinder IPC from client to server
|
|
binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
|
|
|
|
hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
|
|
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
|
|
allow hal_graphics_allocator_client hal_graphics_mapper_service:service_manager find;
|
|
allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
|
|
|
|
# GPU device access
|
|
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
|
|
allow hal_graphics_allocator gpu_device:dir r_dir_perms;
|
|
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
|
|
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
|
|
|
|
# Access the secure heap
|
|
allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file r_file_perms;
|
|
|
|
# allow to run with real-time scheduling policy
|
|
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
|
|
|
|
# IAllocator stable-aidl
|
|
hal_attribute_service(hal_graphics_allocator, hal_graphics_allocator_service)
|
|
binder_call(hal_graphics_allocator_server, servicemanager)
|
|
binder_call(hal_graphics_allocator_client, servicemanager)
|