Skip to content
Snippets Groups Projects
Commit e0c8c89f authored by Jeff Vander Stoep's avatar Jeff Vander Stoep Committed by android-build-merger
Browse files

Enforce separation of privilege for HAL driver access am: 7fa59c81 am: fa633e52 

am: a023a9e5

Change-Id: I5eff6e6bc209f4da83602e3a5501d5c081525e24
parents c2c9782a a023a9e5
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
public/hal_audio.te
+ 3
0
View file @ e0c8c89f
...@@ -38,3 +38,6 @@ neverallow hal_audio { file_type fs_type }:file execute_no_trans; ...@@ -38,3 +38,6 @@ neverallow hal_audio { file_type fs_type }:file execute_no_trans;
# Should never need network access. # Should never need network access.
# Disallow network sockets. # Disallow network sockets.
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *; neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
public/hal_camera.te
+ 4
0
View file @ e0c8c89f
...@@ -28,3 +28,7 @@ neverallow hal_camera { file_type fs_type }:file execute_no_trans; ...@@ -28,3 +28,7 @@ neverallow hal_camera { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets. # hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *; neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera and video hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
neverallow { halserverdomain -hal_camera_server } video_device:chr_file *;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment