Merge "VR: Add sepolicy for VR HWC service" into oc-dev

am: ed82acb9

Change-Id: I2c7dc59f0ea468fba1e34d38a55cc2e8e6cc3289

private/file_contexts

@@ -256,6 +256,7 @@
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
+/system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 
 #############################
 # Vendor files

private/service_contexts

@@ -158,6 +158,7 @@ vibrator                                  u:object_r:vibrator_service:s0
 virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
 vr_window_manager                         u:object_r:vr_window_manager_service:s0
+vr_hwc                                    u:object_r:vr_hwc_service:s0
 vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0
 webviewupdate                             u:object_r:webviewupdate_service:s0

private/system_app.te

@@ -57,7 +57,7 @@ binder_call(system_app, incidentd)
 
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
 
 allow system_app keystore:keystore_key {
     get_state

private/vr_hwc.te

+typeattribute vr_hwc coredomain;
+
+# Daemon started by init.
+init_daemon_domain(vr_hwc)

public/dumpstate.te

@@ -170,7 +170,7 @@ userdebug_or_eng(`
   allow dumpstate misc_logd_file:file r_file_perms;
 ')
 
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
 allow dumpstate devpts:chr_file rw_file_perms;

public/service.te

@@ -28,6 +28,7 @@ type system_app_service,        service_manager_type;
 type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vr_window_manager_service, service_manager_type;
+type vr_hwc_service,            service_manager_type;
 
 # system_server_services broken down
 type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

public/shell.te

@@ -82,7 +82,7 @@ allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
 # TODO: why is this so broad? Tightening candidate? It needs at list:
 # - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
 allow shell dumpstate:binder call;
 
 # allow shell to get information from hwservicemanager

public/vr_hwc.te

+type vr_hwc, domain;
+type vr_hwc_exec, exec_type, file_type;
+
+# Get buffer metadata.
+hal_client_domain(vr_hwc, hal_graphics_allocator)
+
+binder_use(vr_hwc)
+binder_service(vr_hwc)
+
+binder_call(vr_hwc, surfaceflinger)
+binder_call(vr_hwc, vr_wm)
+
+add_service(vr_hwc, vr_hwc_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_hwc)
+
+# Load vendor libraries.
+allow vr_hwc system_file:dir r_dir_perms;
+
+allow vr_hwc ion_device:chr_file r_file_perms;
+
+# Allow connection to VR DisplayClient to get the primary display metadata
+# (ie: size).
+use_pdx(vr_hwc, surfaceflinger)
+
+# Limit access so only vr_wm can connect.
+neverallow { domain -vr_hwc -vr_wm } vr_hwc_service:service_manager find;

public/vr_wm.te

@@ -4,18 +4,15 @@ type vr_wm_exec, exec_type, file_type;
 hal_client_domain(vr_wm, hal_graphics_allocator)
 
 binder_use(vr_wm)
-binder_call(vr_wm, surfaceflinger)
 binder_call(vr_wm, virtual_touchpad)
+binder_call(vr_wm, vr_hwc)
 
 allow vr_wm virtual_touchpad_service:service_manager find;
+allow vr_wm vr_hwc_service:service_manager find;
 
 binder_service(vr_wm)
 add_service(vr_wm, vr_window_manager_service)
 
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_wm)
-
 # Load vendor libraries.
 allow vr_wm system_file:dir r_dir_perms;