From 2ae57455960733c452a50fc7acf283bdd03d76d2 Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Thu, 30 Mar 2017 17:45:10 -0700 Subject: [PATCH] Add cameraserver and NFC HAL to socket comms violators list Being on this list does not change what these domains can do. It only loosens neverallow rules. Test: mmm system/sepolicy Bug: 36577153 Change-Id: I376f08b1afd274376655679cd86bc6adeebf7c94 --- sepolicy/hal_camera.te | 4 ++++ sepolicy/nfc_hal_pn54x.te | 1 + 2 files changed, 5 insertions(+) diff --git a/sepolicy/hal_camera.te b/sepolicy/hal_camera.te index 34fb7190..376c5627 100644 --- a/sepolicy/hal_camera.te +++ b/sepolicy/hal_camera.te @@ -13,6 +13,10 @@ allow hal_camera self:capability sys_nice; allow hal_camera gpu_device:chr_file rw_file_perms; allow hal_camera perfd_socket:sock_file w_file_perms; +# TODO(b/34274385): Remove this once Camera HAL is guaranteed to be binderized on full Treble +# devices. Passthrough Camera HAL makes cameraserver use perfd socket which is a vendor socket. +# cameraserver, being a non-vendor component, is not permitted to use that socket. +typeattribute cameraserver socket_between_core_and_vendor_violators; # access to /dev/input/event{5,10} allow hal_camera input_device:dir r_dir_perms; diff --git a/sepolicy/nfc_hal_pn54x.te b/sepolicy/nfc_hal_pn54x.te index d27e5e67..08f2be27 100644 --- a/sepolicy/nfc_hal_pn54x.te +++ b/sepolicy/nfc_hal_pn54x.te @@ -23,6 +23,7 @@ allow nfc_hal_pn54x nfc_device:chr_file rw_file_perms; # outside /data/vendor. Also, the label cannot be nfc_data_file since # that belongs to the nfc app. typeattribute nfc_hal_pn54x coredata_in_vendor_violators; +typeattribute nfc_hal_pn54x socket_between_core_and_vendor_violators; allow nfc_hal_pn54x nfc_data_file:dir create_dir_perms; allow nfc_hal_pn54x nfc_data_file:notdevfile_class_set create_file_perms;