ac2b4cd2cb
This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
against the hal_foo attribute. This policy is granted to domains
which offer the Foo HAL service over HwBinder and, if Foo HAL runs
in the so-called passthrough mode (inside the process of each
client), also granted to all domains which are clients of Foo HAL.
hal_foo is there to avoid duplicating the rules for hal_foo_client
and hal_foo_server to cover the passthrough/in-process Foo HAL and
binderized/out-of-process Foo HAL cases.
A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.
This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.
Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
36 lines
1.1 KiB
Text
36 lines
1.1 KiB
Text
# HwBinder IPC from client to server, and callbacks
|
|
binder_call(hal_audio_client, hal_audio_server)
|
|
binder_call(hal_audio_server, hal_audio_client)
|
|
|
|
# Both client and the server need to use hwallocator
|
|
hwallocator_use(hal_audio_client)
|
|
hwallocator_use(hal_audio_server)
|
|
|
|
allow hal_audio ion_device:chr_file r_file_perms;
|
|
|
|
allow hal_audio system_file:dir { open read };
|
|
|
|
userdebug_or_eng(`
|
|
# used for pcm capture for debug.
|
|
allow hal_audio audiohal_data_file:dir create_dir_perms;
|
|
allow hal_audio audiohal_data_file:file create_file_perms;
|
|
')
|
|
|
|
r_dir_file(hal_audio, proc)
|
|
allow hal_audio audio_device:dir r_dir_perms;
|
|
allow hal_audio audio_device:chr_file rw_file_perms;
|
|
|
|
# Needed on some devices for playing audio on paired BT device,
|
|
# but seems appropriate for all devices.
|
|
unix_socket_connect(hal_audio, bluetooth, bluetooth)
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# Should never execute any executable without a domain transition
|
|
neverallow hal_audio { file_type fs_type }:file execute_no_trans;
|
|
|
|
# Should never need network access.
|
|
# Disallow network sockets.
|
|
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
|