platform_system_sepolicy/public/hal_graphics_composer.te
Steven Moreland f30a82efe2 Fix graphics composer denial.
Right now, the hwcomposer hidl hal is unable to figure out where
to get the hidl mapper implementation.

It is expected that all graphics composer objects will need this
permission. The interfaces are written to work together with the
"IMapper" being the same-process ("sphal") component and the
"IComposer" interface being the binderized compoenent.

10-09 00:24:38.900   457   457 E SELinux : avc:  denied  { find } for
interface=android.hardware.graphics.mapper::IMapper pid=495
scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:hal_graphics_mapper_hwservice:s0 tclass=hwservice_manager

Test: boot marlin, denial no longer present.
Bug: 38415912
Change-Id: I1b274be10e115fa7b53fb81e85be8827da05997e
2017-05-19 14:14:35 -07:00

26 lines
1.1 KiB
Text

# HwBinder IPC from client to server, and callbacks
binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
# Coordinate with hal_graphics_mapper
allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use;
# Access /dev/graphics/fb0.
allow hal_graphics_composer graphics_device:dir search;
allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
# Fences
allow hal_graphics_composer system_server:fd use;
allow hal_graphics_composer bootanim:fd use;
allow hal_graphics_composer appdomain:fd use;
# allow self to set SCHED_FIFO
allow hal_graphics_composer self:capability sys_nice;