Merge "Set up access control rule for aocxd" into main
This commit is contained in:
Bowen Lai
Android (Google) Code Review
commit
f23d87650d
4 changed files with 22 additions and 1 deletions
|
|
@ -1,4 +1,6 @@
|
|||
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy
|
||||
BOARD_VENDOR_SEPOLICY_DIRS += \
|
||||
device/google/gs-common/aoc/sepolicy \
|
||||
device/google/gs-common/aoc/sepolicy/allowlist
|
||||
|
||||
PRODUCT_PACKAGES += dump_aoc \
|
||||
aocd \
|
||||
|
|
|
|||
11
aoc/sepolicy/allowlist/aocxd_neverallow.te
Normal file
11
aoc/sepolicy/allowlist/aocxd_neverallow.te
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
# set up rule to control the access to aocxd
|
||||
neverallow {
|
||||
domain
|
||||
-hwservicemanager
|
||||
-servicemanager
|
||||
-vndservicemanager
|
||||
-system_suspend_server
|
||||
-dumpstate
|
||||
-hal_audio_default
|
||||
-aocxdallowdomain
|
||||
} aocxd:binder { call transfer };
|
||||
6
aoc/sepolicy/allowlist/aocxdallowdomain.te
Normal file
6
aoc/sepolicy/allowlist/aocxdallowdomain.te
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
# Aocx AIDL service
|
||||
allow aocxdallowdomain aocx:service_manager find;
|
||||
|
||||
binder_call(aocxdallowdomain, aocxd)
|
||||
# Allow aocxd asynchronous callback to aocxdallowdomain
|
||||
binder_call(aocxd, aocxdallowdomain)
|
||||
2
aoc/sepolicy/allowlist/attributes
Normal file
2
aoc/sepolicy/allowlist/attributes
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
# Allow domain to access aocx HAL API
|
||||
attribute aocxdallowdomain;
|
||||
Loading…
Add table
Add a link
Reference in a new issue