8c9cf62edb
One of the advantages of the DMA-BUF heaps framework over ION is that each heap is a separate char device and hence it is possible to create separate sepolicy permissions to restrict access to each heap. In the case of ION, allocation in every heap had to be done through /dev/ion which meant that there was no away to restrict allocations in a specific heap. This patch intends to restrict coredomain access to only approved categories of vendor heaps. Currently, the only identified category as per partner feedback is the system-secure heap which is defined as a heap that allocates from protected memory. Test: Build, video playback works on CF with ION disabled and without sepolicy denials Bug: 175697666 Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
119 lines
4.3 KiB
Text
119 lines
4.3 KiB
Text
# Device types
|
|
type device, dev_type, fs_type;
|
|
type ashmem_device, dev_type, mlstrustedobject;
|
|
type ashmem_libcutils_device, dev_type, mlstrustedobject;
|
|
type audio_device, dev_type;
|
|
type binder_device, dev_type, mlstrustedobject;
|
|
type hwbinder_device, dev_type, mlstrustedobject;
|
|
type vndbinder_device, dev_type;
|
|
type block_device, dev_type;
|
|
type camera_device, dev_type;
|
|
type dm_device, dev_type;
|
|
type dm_user_device, dev_type;
|
|
type keychord_device, dev_type;
|
|
type loop_control_device, dev_type;
|
|
type loop_device, dev_type;
|
|
type pmsg_device, dev_type, mlstrustedobject;
|
|
type radio_device, dev_type;
|
|
type ram_device, dev_type;
|
|
type rtc_device, dev_type;
|
|
type vold_device, dev_type;
|
|
type console_device, dev_type;
|
|
type fscklogs, dev_type;
|
|
# GPU (used by most UI apps)
|
|
type gpu_device, dev_type, mlstrustedobject;
|
|
type graphics_device, dev_type;
|
|
type hw_random_device, dev_type;
|
|
type input_device, dev_type;
|
|
type port_device, dev_type;
|
|
type lowpan_device, dev_type;
|
|
type mtp_device, dev_type, mlstrustedobject;
|
|
type nfc_device, dev_type;
|
|
type ptmx_device, dev_type, mlstrustedobject;
|
|
type kmsg_device, dev_type, mlstrustedobject;
|
|
type kmsg_debug_device, dev_type;
|
|
type null_device, dev_type, mlstrustedobject;
|
|
type random_device, dev_type, mlstrustedobject;
|
|
type secure_element_device, dev_type;
|
|
type sensors_device, dev_type;
|
|
type serial_device, dev_type;
|
|
type socket_device, dev_type;
|
|
type owntty_device, dev_type, mlstrustedobject;
|
|
type tty_device, dev_type;
|
|
type video_device, dev_type;
|
|
type zero_device, dev_type, mlstrustedobject;
|
|
type fuse_device, dev_type, mlstrustedobject;
|
|
type iio_device, dev_type;
|
|
type ion_device, dev_type, mlstrustedobject;
|
|
type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
|
|
type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
|
|
type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
|
|
type qtaguid_device, dev_type;
|
|
type watchdog_device, dev_type;
|
|
type uhid_device, dev_type;
|
|
type uio_device, dev_type;
|
|
type tun_device, dev_type, mlstrustedobject;
|
|
type usbaccessory_device, dev_type, mlstrustedobject;
|
|
type usb_device, dev_type, mlstrustedobject;
|
|
type usb_serial_device, dev_type;
|
|
type gnss_device, dev_type;
|
|
type properties_device, dev_type;
|
|
type properties_serial, dev_type;
|
|
type property_info, dev_type;
|
|
|
|
# All devices have a uart for the hci
|
|
# attach service. The uart dev node
|
|
# varies per device. This type
|
|
# is used in per device policy
|
|
type hci_attach_dev, dev_type;
|
|
|
|
# All devices have a rpmsg device for
|
|
# achieving remoteproc and rpmsg modules
|
|
type rpmsg_device, dev_type;
|
|
|
|
# Partition layout block device
|
|
type root_block_device, dev_type;
|
|
|
|
# factory reset protection block device
|
|
type frp_block_device, dev_type;
|
|
|
|
# System block device mounted on /system.
|
|
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
|
type system_block_device, dev_type;
|
|
|
|
# Recovery block device.
|
|
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
|
type recovery_block_device, dev_type;
|
|
|
|
# boot block device.
|
|
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
|
type boot_block_device, dev_type;
|
|
|
|
# Userdata block device mounted on /data.
|
|
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
|
type userdata_block_device, dev_type;
|
|
|
|
# Cache block device mounted on /cache.
|
|
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
|
type cache_block_device, dev_type;
|
|
|
|
# Block device for any swap partition.
|
|
type swap_block_device, dev_type;
|
|
|
|
# Metadata block device used for encryption metadata.
|
|
# Assign this type to the partition specified by the encryptable=
|
|
# mount option in your fstab file in the entry for userdata.
|
|
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
|
type metadata_block_device, dev_type;
|
|
|
|
# The 'misc' partition used by recovery and A/B.
|
|
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
|
type misc_block_device, dev_type;
|
|
|
|
# 'super' partition to be used for logical partitioning.
|
|
type super_block_device, super_block_device_type, dev_type;
|
|
|
|
# sdcard devices; normally vold uses the vold_block_device label and creates a
|
|
# separate device node. gsid, however, accesses the original devide node
|
|
# created through uevents, so we use a separate label.
|
|
type sdcard_block_device, dev_type;
|