mirror of
https://github.com/Evolution-X-Devices/device_google_wahoo
synced 2026-02-01 07:50:47 +00:00
Move platform/vendor data violations to device policy
am: 98dd9bb659
Change-Id: Ibf51767859153a0016ef74b896233835011cfcdb
This commit is contained in:
Jeff Vander Stoep
android-build-merger
6
sepolicy/vendor/hal_drm_default.te
vendored
6
sepolicy/vendor/hal_drm_default.te
vendored
@@ -1 +1,7 @@
|
||||
allow hal_drm_default vndbinder_device:chr_file rw_file_perms;
|
||||
|
||||
# TODO(b/36601695): Remove data_between_core_and_vendor violators once
|
||||
# hal_drm_default no longer directly accesses media_data_file.
|
||||
typeattribute hal_drm_default data_between_core_and_vendor_violators;
|
||||
allow hal_drm_default media_data_file:dir create_dir_perms;
|
||||
allow hal_drm_default media_data_file:file create_file_perms;
|
||||
|
||||
8
sepolicy/vendor/hal_drm_widevine.te
vendored
8
sepolicy/vendor/hal_drm_widevine.te
vendored
@@ -8,8 +8,8 @@ hal_server_domain(hal_drm_widevine, hal_drm)
|
||||
|
||||
vndbinder_use(hal_drm_widevine);
|
||||
|
||||
allow hal_drm mediacodec:fd use;
|
||||
allow hal_drm { appdomain -isolated_app }:fd use;
|
||||
allow hal_drm_widevine mediacodec:fd use;
|
||||
allow hal_drm_widevine { appdomain -isolated_app }:fd use;
|
||||
|
||||
# The Qualcomm DRM-HAL implementation uses a vendor-binder service provided
|
||||
# by the HWC HAL.
|
||||
@@ -17,5 +17,7 @@ allow hal_drm_widevine qdisplay_service:service_manager { find };
|
||||
binder_call(hal_drm_widevine, hal_graphics_composer)
|
||||
|
||||
# TODO(b/36601695): Remove data_between_core_and_vendor violators once
|
||||
# hal_drm no longer directly accesses media_data_file.
|
||||
# hal_drm_widevine no longer directly accesses media_data_file.
|
||||
typeattribute hal_drm_widevine data_between_core_and_vendor_violators;
|
||||
allow hal_drm_widevine media_data_file:dir create_dir_perms;
|
||||
allow hal_drm_widevine media_data_file:file create_file_perms;
|
||||
|
||||
7
sepolicy/vendor/hal_fingerprint.te
vendored
7
sepolicy/vendor/hal_fingerprint.te
vendored
@@ -1,7 +0,0 @@
|
||||
allow hal_fingerprint sysfs_fingerprint:dir r_dir_perms;
|
||||
allow hal_fingerprint sysfs_fingerprint:file rw_file_perms;
|
||||
allow hal_fingerprint sysfs_msm_subsys:dir search;
|
||||
allow hal_fingerprint sysfs_msm_subsys:file r_file_perms;
|
||||
allow hal_fingerprint tee_device:file rw_file_perms;
|
||||
allow hal_fingerprint tee_device:chr_file rw_file_perms;
|
||||
allow hal_fingerprint uhid_device:chr_file rw_file_perms;
|
||||
14
sepolicy/vendor/hal_fingerprint_default.te
vendored
Normal file
14
sepolicy/vendor/hal_fingerprint_default.te
vendored
Normal file
@@ -0,0 +1,14 @@
|
||||
allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms;
|
||||
allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms;
|
||||
allow hal_fingerprint_default sysfs_msm_subsys:dir search;
|
||||
allow hal_fingerprint_default sysfs_msm_subsys:file r_file_perms;
|
||||
allow hal_fingerprint_default tee_device:file rw_file_perms;
|
||||
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
|
||||
allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
|
||||
|
||||
# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
|
||||
# hal_fingerprint no longer directly accesses fingerprintd_data_file.
|
||||
typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
|
||||
# access to /data/system/users/[0-9]+/fpdata
|
||||
allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
|
||||
allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
|
||||
7
sepolicy/vendor/hal_nfc_default.te
vendored
7
sepolicy/vendor/hal_nfc_default.te
vendored
@@ -1,3 +1,10 @@
|
||||
# Data file accesses.
|
||||
allow hal_nfc_default nfc_vendor_data_file:dir create_dir_perms;
|
||||
allow hal_nfc_default nfc_vendor_data_file:file create_file_perms;
|
||||
|
||||
# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
|
||||
# hal_nfc no longer directly accesses /data owned by the nfc app.
|
||||
typeattribute hal_nfc_default data_between_core_and_vendor_violators;
|
||||
# Data file accesses.
|
||||
allow hal_nfc_default nfc_data_file:dir create_dir_perms;
|
||||
allow hal_nfc_default nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
|
||||
|
||||
10
sepolicy/vendor/hal_wifi_supplicant_default.te
vendored
Normal file
10
sepolicy/vendor/hal_wifi_supplicant_default.te
vendored
Normal file
@@ -0,0 +1,10 @@
|
||||
# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
|
||||
# hal_wifi_supplicant no longer directly accesses wifi_data_file .
|
||||
typeattribute hal_wifi_supplicant_default data_between_core_and_vendor_violators;
|
||||
|
||||
allow hal_wifi_supplicant_default wifi_data_file:dir create_dir_perms;
|
||||
allow hal_wifi_supplicant_default wifi_data_file:file create_file_perms;
|
||||
|
||||
# Create a socket for receiving info from wpa
|
||||
allow hal_wifi_supplicant_default wpa_socket:dir create_dir_perms;
|
||||
allow hal_wifi_supplicant_default wpa_socket:sock_file create_file_perms;
|
||||
12
sepolicy/vendor/hostapd.te
vendored
Normal file
12
sepolicy/vendor/hostapd.te
vendored
Normal file
@@ -0,0 +1,12 @@
|
||||
# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
|
||||
# hostapd no longer directly accesses /data outside /data/vendor.
|
||||
typeattribute hostapd data_between_core_and_vendor_violators;
|
||||
# hostapd can read and write WiFi related data and configuration.
|
||||
# For example, the entropy file is periodically updated.
|
||||
allow hostapd wifi_data_file:file rw_file_perms;
|
||||
r_dir_file(hostapd, wifi_data_file)
|
||||
|
||||
# hostapd wants to create the directory holding its control socket.
|
||||
allow hostapd hostapd_socket:dir create_dir_perms;
|
||||
# hostapd needs to create, bind to, read, and write its control socket.
|
||||
allow hostapd hostapd_socket:sock_file create_file_perms;
|
||||
Reference in New Issue
Block a user