From 75573c0fe5544afba750c0cebc6de4fe71c58a2d Mon Sep 17 00:00:00 2001 From: Martijn Coenen Date: Thu, 27 Apr 2017 14:13:44 -0700 Subject: [PATCH] Updated SEPolicy for camera/composer/sensors. Removes binder violations for camera/hwcomposer HALs. Bug: 36683636 Bug: 37302783 Test: muskie/taimen boot, graphics/camera works Change-Id: Id3996b3ca11e2c4cb1d0df10e0f4a456829b8f9b --- sepolicy/hal_camera.te | 9 +-------- sepolicy/hal_camera_default.te | 8 +++++--- sepolicy/hal_graphics_composer_default.te | 7 ++----- sepolicy/system_server.te | 1 + sepolicy/vndservice.te | 1 + sepolicy/vndservice_contexts | 1 + 6 files changed, 11 insertions(+), 16 deletions(-) create mode 100644 sepolicy/vndservice.te create mode 100644 sepolicy/vndservice_contexts diff --git a/sepolicy/hal_camera.te b/sepolicy/hal_camera.te index 376c5627..58dd5744 100644 --- a/sepolicy/hal_camera.te +++ b/sepolicy/hal_camera.te @@ -29,14 +29,7 @@ r_dir_file(hal_camera, sysfs_type) # find libraries allow hal_camera system_file:dir r_dir_perms; -# talk over binder to some binder services -# TODO(b/36569385): Must be moved to HIDL -binder_use(hal_camera) -binder_call(hal_camera, binderservicedomain) - -allow hal_camera surfaceflinger_service:service_manager find; -allow hal_camera sensorservice_service:service_manager find; -allow hal_camera scheduling_policy_service:service_manager find; +allow hal_camera qdisplay_service:service_manager find; # talk to system_server diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te index c0d3bc87..9aa8df64 100644 --- a/sepolicy/hal_camera_default.te +++ b/sepolicy/hal_camera_default.te @@ -1,6 +1,8 @@ -# TODO(b/36569385): Remove once Camera HAL no longer uses Binder -typeattribute hal_camera_default binder_in_vendor_violators; - allow hal_camera_default input_device:dir r_dir_perms; allow hal_camera_default sysfs_laser:file w_file_perms; +vndbinder_use(hal_camera_default); +allow hal_camera_default qdisplay_service:service_manager { find }; + +binder_call(hal_camera_default, hal_graphics_composer) +binder_call(hal_camera_default, system_server) diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te index 553235c1..e9056fc5 100644 --- a/sepolicy/hal_graphics_composer_default.te +++ b/sepolicy/hal_graphics_composer_default.te @@ -1,9 +1,6 @@ # Binder access (for display.qservice) -# TODO(35706331): Remove once Graphics Composer HAL stops using Binder -typeattribute hal_graphics_composer_default binder_in_vendor_violators; -binder_service(hal_graphics_composer_default) -binder_use(hal_graphics_composer_default) -allow hal_graphics_composer_default surfaceflinger_service:service_manager { add find }; +vndbinder_use(hal_graphics_composer_default) +allow hal_graphics_composer_default qdisplay_service:service_manager { add find }; allow hal_graphics_composer_default sysfs_camera:dir search; allow hal_graphics_composer_default sysfs_camera:file r_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index ef15cda9..cd3190f4 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -5,6 +5,7 @@ allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls; binder_call(system_server, per_mgr) binder_call(system_server, folio_daemon) +binder_call(system_server, hal_camera_default) allow system_server per_mgr_service:service_manager find; # TODO(b/36613917): Remove this once system_server no longer communicates with netmgrd over sockets. diff --git a/sepolicy/vndservice.te b/sepolicy/vndservice.te new file mode 100644 index 00000000..10354f2a --- /dev/null +++ b/sepolicy/vndservice.te @@ -0,0 +1 @@ +type qdisplay_service, vndservice_manager_type; diff --git a/sepolicy/vndservice_contexts b/sepolicy/vndservice_contexts new file mode 100644 index 00000000..b7e4bd9d --- /dev/null +++ b/sepolicy/vndservice_contexts @@ -0,0 +1 @@ +display.qservice u:object_r:qdisplay_service:s0