Merge "Updated SEPolicy for camera/composer/sensors."

2026-02-01 07:50:47 +00:00 · 2017-04-29 06:55:01 +00:00
parent 940ef509ca 75573c0fe5
commit 1f03943760
6 changed files with 11 additions and 16 deletions
--- a/sepolicy/hal_camera.te
+++ b/sepolicy/hal_camera.te
@@ -29,14 +29,7 @@ r_dir_file(hal_camera, sysfs_type)
 # find libraries
 allow hal_camera system_file:dir r_dir_perms;

-# talk over binder to some binder services
-# TODO(b/36569385): Must be moved to HIDL
-binder_use(hal_camera)
-binder_call(hal_camera, binderservicedomain)
-
-allow hal_camera surfaceflinger_service:service_manager find;
-allow hal_camera sensorservice_service:service_manager find;
-allow hal_camera scheduling_policy_service:service_manager find;
+allow hal_camera qdisplay_service:service_manager find;

 # talk to system_server

--- a/sepolicy/hal_camera_default.te
+++ b/sepolicy/hal_camera_default.te
@@ -1,6 +1,8 @@
-# TODO(b/36569385): Remove once Camera HAL no longer uses Binder
-typeattribute hal_camera_default binder_in_vendor_violators;
-
 allow hal_camera_default input_device:dir r_dir_perms;

 allow hal_camera_default sysfs_laser:file w_file_perms;
+vndbinder_use(hal_camera_default);
+allow hal_camera_default qdisplay_service:service_manager { find };
+
+binder_call(hal_camera_default, hal_graphics_composer)
+binder_call(hal_camera_default, system_server)
--- a/sepolicy/hal_graphics_composer_default.te
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -1,9 +1,6 @@
 # Binder access (for display.qservice)
-# TODO(35706331): Remove once Graphics Composer HAL stops using Binder
-typeattribute hal_graphics_composer_default binder_in_vendor_violators;
-binder_service(hal_graphics_composer_default)
-binder_use(hal_graphics_composer_default)
-allow hal_graphics_composer_default surfaceflinger_service:service_manager { add find };
+vndbinder_use(hal_graphics_composer_default)
+allow hal_graphics_composer_default qdisplay_service:service_manager { add find };

 allow hal_graphics_composer_default sysfs_camera:dir search;
 allow hal_graphics_composer_default sysfs_camera:file r_file_perms;
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -5,6 +5,7 @@ allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls;
 binder_call(system_server, per_mgr)
 binder_call(system_server, folio_daemon)

+binder_call(system_server, hal_camera_default)
 allow system_server per_mgr_service:service_manager find;

 # TODO(b/36613917): Remove this once system_server no longer communicates with netmgrd over sockets.
--- a/sepolicy/vndservice.te
+++ b/sepolicy/vndservice.te
@@ -0,0 +1 @@
+type qdisplay_service,             vndservice_manager_type;
--- a/sepolicy/vndservice_contexts
+++ b/sepolicy/vndservice_contexts
@@ -0,0 +1 @@
+display.qservice                        u:object_r:qdisplay_service:s0
				`@@ -0,0 +1 @@`
				`type qdisplay_service, vndservice_manager_type;`
				`@@ -0,0 +1 @@`
				`display.qservice u:object_r:qdisplay_service:s0`