tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/prebuilts/api/31.0/public/hal_cas.te
Inseob Kim 08d4c8fa6e Add fake 31.0 prebuilt 
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP
policy, but slightly modified so the set of types and attributes is a
subset of real 31.0 prebuilt (sc-dev policy).

Steps taken to make the fake prebuilt:

1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target
aosp_arm64-eng.
2) diff both outputs to find out which types and attributes don't exist.
3) remove all relevant files and statements.

As a result, the following types are removed.

artd
artd_exec
artd_service
power_stats_service
transformer_service
virtualizationservice
virtualizationservice_data_file
virtualizationservice_exec

Bug: 189161483
Test: N/A, will do after adding 31.0 mapping files.
Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf
Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
2021-06-15 12:08:00 +00:00

38 lines
1.2 KiB
Text
Raw Blame History

# HwBinder IPC from client to server, and callbacks
binder_call(hal_cas_client, hal_cas_server)
binder_call(hal_cas_server, hal_cas_client)
hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
# Permit reading device's serial number from system properties
get_prop(hal_cas_server, serialno_prop)
# Read files already opened under /data
allow hal_cas system_data_file:file { getattr read };
# Read access to pseudo filesystems
r_dir_file(hal_cas, cgroup)
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file w_file_perms;
r_dir_file(hal_cas, cgroup_v2)
allow hal_cas cgroup_v2:dir { search write };
allow hal_cas cgroup_v2:file w_file_perms;
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file rw_file_perms;
allow hal_cas hal_graphics_allocator:fd use;
allow hal_cas tee_device:chr_file rw_file_perms;
###
### neverallow rules
###
# hal_cas should never execute any executable without a
# domain transition
neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
Reference in a new issue View git blame Copy permalink