Skip to content
Snippets Groups Projects
Commit ad49687b authored by Jeff Vander Stoep's avatar Jeff Vander Stoep Committed by android-build-merger
Browse files

clean up hal types am: 27ae545a am: 95bd7984

am: 8937ed09

Change-Id: Ib1617b7fdcf19b9014941428ab32544ed35b2e36
parents a2c00abc 8937ed09
No related branches found
No related tags found
No related merge requests found
......@@ -169,7 +169,6 @@
/system/bin/wificond u:object_r:wificond_exec:s0
/system/bin/rild u:object_r:rild_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:android_hardware_audio_2_0_service_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
......@@ -219,13 +218,14 @@
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/hw/wifi_hal_legacy u:object_r:wifi_hal_legacy_exec:s0
/system/fake-lib(64)?/libart.* u:object_r:libart_file:s0
/system/lib(64)?/libart.* u:object_r:libart_file:s0
/system/bin/hw/android.hardware.boot@1.0-service u:object_r:hal_boot_exec:s0
/system/bin/hw/android.hardware.nfc@1.0-service u:object_r:android_hardware_nfc_1_0_service_exec:s0
/system/bin/hw/android.hardware.vibrator@1.0-service u:object_r:android_hardware_vibrator_service_exec:s0
/system/bin/hw/android.hardware.vr@1.0-service u:object_r:android_hardware_vr_exec:s0
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_exec:s0
/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
/system/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_exec:s0
/system/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_exec:s0
/system/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_exec:s0
/system/bin/hw/wifi_hal_legacy u:object_r:wifi_hal_legacy_exec:s0
#############################
# Vendor files
......
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
init_daemon_domain(android_hardware_audio_2_0_service)
init_daemon_domain(hal_audio)
# may be started by init
init_daemon_domain(android_hardware_vr)
init_daemon_domain(hal_nfc)
# may be started by init
init_daemon_domain(android_hardware_nfc_1_0_service)
init_daemon_domain(hal_vibrator)
# may be started by init
init_daemon_domain(android_hardware_vibrator_service)
init_daemon_domain(hal_vr)
# android_hardware_audio_2_0_service - audio services daemon
type android_hardware_audio_2_0_service, domain;
type android_hardware_audio_2_0_service_exec, exec_type, file_type;
hwbinder_use(android_hardware_audio_2_0_service)
binder_call(android_hardware_audio_2_0_service, audioserver)
allow android_hardware_audio_2_0_service ion_device:chr_file r_file_perms;
allow android_hardware_audio_2_0_service system_file:dir { open read };
userdebug_or_eng(`
# used for pcm capture for debug.
allow android_hardware_audio_2_0_service audiohal_data_file:dir create_dir_perms;
allow android_hardware_audio_2_0_service audiohal_data_file:file create_file_perms;
')
r_dir_file(android_hardware_audio_2_0_service, proc)
allow android_hardware_audio_2_0_service audio_device:dir r_dir_perms;
allow android_hardware_audio_2_0_service audio_device:chr_file rw_file_perms;
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(android_hardware_audio_2_0_service, bluetooth, bluetooth)
###
### neverallow rules
###
# android_hardware_audio_2_0_service should never execute any executable without
# a domain transition
neverallow android_hardware_audio_2_0_service { file_type fs_type }:file execute_no_trans;
# android_hardware_audio_2_0_service should never need network access.
# Disallow network sockets.
neverallow android_hardware_audio_2_0_service domain:{ tcp_socket udp_socket rawip_socket } *;
\ No newline at end of file
# nfc subsystem
type android_hardware_nfc_1_0_service, domain;
type android_hardware_nfc_1_0_service_exec, exec_type, file_type;
# hwbinder access
hwbinder_use(android_hardware_nfc_1_0_service)
# call into NFC process (callbacks)
binder_call(android_hardware_nfc_1_0_service, nfc)
# Set NFC properties (used by bcm2079x HAL).
set_prop(android_hardware_nfc_1_0_service, nfc_prop)
# NFC device access.
allow android_hardware_nfc_1_0_service nfc_device:chr_file rw_file_perms;
# Data file accesses.
allow android_hardware_nfc_1_0_service nfc_data_file:dir create_dir_perms;
allow android_hardware_nfc_1_0_service nfc_data_file:notdevfile_class_set create_file_perms;
# vibrator subsystem
type android_hardware_vibrator_service, domain;
type android_hardware_vibrator_service_exec, exec_type, file_type;
# hwbinder access
hwbinder_use(android_hardware_vibrator_service)
# vibrator sysfs rw access
allow android_hardware_vibrator_service sysfs_vibrator:file rw_file_perms;
# vr subsystem
type android_hardware_vr, domain;
type android_hardware_vr_exec, exec_type, file_type;
# hwbinder access
hwbinder_use(android_hardware_vr)
# call into system_server process
binder_call(android_hardware_vr, system_server)
......@@ -10,7 +10,7 @@ binder_call(audioserver, { appdomain ephemeral_app })
binder_service(audioserver)
hwbinder_use(audioserver)
binder_call(audioserver, android_hardware_audio_2_0_service)
binder_call(audioserver, hal_audio)
r_dir_file(audioserver, proc)
allow audioserver ion_device:chr_file r_file_perms;
......
# hal_audio - audio services daemon
type hal_audio, domain;
type hal_audio_exec, exec_type, file_type;
hwbinder_use(hal_audio)
binder_call(hal_audio, audioserver)
allow hal_audio ion_device:chr_file r_file_perms;
allow hal_audio system_file:dir { open read };
userdebug_or_eng(`
# used for pcm capture for debug.
allow hal_audio audiohal_data_file:dir create_dir_perms;
allow hal_audio audiohal_data_file:file create_file_perms;
')
r_dir_file(hal_audio, proc)
allow hal_audio audio_device:dir r_dir_perms;
allow hal_audio audio_device:chr_file rw_file_perms;
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(hal_audio, bluetooth, bluetooth)
###
### neverallow rules
###
# hal_audio should never execute any executable without
# a domain transition
neverallow hal_audio { file_type fs_type }:file execute_no_trans;
# hal_audio should never need network access.
# Disallow network sockets.
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
# nfc subsystem
type hal_nfc, domain;
type hal_nfc_exec, exec_type, file_type;
# hwbinder access
hwbinder_use(hal_nfc)
# call into NFC process (callbacks)
binder_call(hal_nfc, nfc)
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
# NFC device access.
allow hal_nfc nfc_device:chr_file rw_file_perms;
# Data file accesses.
allow hal_nfc nfc_data_file:dir create_dir_perms;
allow hal_nfc nfc_data_file:notdevfile_class_set create_file_perms;
# vibrator subsystem
type hal_vibrator, domain;
type hal_vibrator_exec, exec_type, file_type;
# hwbinder access
hwbinder_use(hal_vibrator)
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
# vr subsystem
type hal_vr, domain;
type hal_vr_exec, exec_type, file_type;
# hwbinder access
hwbinder_use(hal_vr)
# call into system_server process
binder_call(hal_vr, system_server)
......@@ -36,4 +36,4 @@ allow nfc system_api_service:service_manager find;
allow nfc shell_data_file:file read;
# allow NFC process to call into the NFC HAL
binder_call(nfc, android_hardware_nfc_1_0_service)
binder_call(nfc, hal_nfc)
......@@ -148,8 +148,8 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, hal_boot)
binder_call(system_server, android_hardware_vibrator_service)
binder_call(system_server, android_hardware_vr)
binder_call(system_server, hal_vibrator)
binder_call(system_server, hal_vr)
binder_call(system_server, binderservicedomain)
binder_call(system_server, gatekeeperd)
binder_call(system_server, fingerprintd)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment