From f7f93daaf32309ce5028486ee2a9802ef0257cce Mon Sep 17 00:00:00 2001 From: Lei Ju Date: Fri, 15 Dec 2023 14:48:25 -0800 Subject: [PATCH] Set up common sepolicy for CHRE Bug: 248615564 Test: compilation by make sepolicy Change-Id: I0bde64d26d0c4451343f6f7032aecc20b275feaa --- chre/README.txt | 5 +++++ chre/hal.mk | 2 ++ chre/sepolicy/file_contexts | 1 + chre/sepolicy/hal_contexthub_default.te | 29 +++++++++++++++++++++++++ 4 files changed, 37 insertions(+) create mode 100644 chre/README.txt create mode 100644 chre/hal.mk create mode 100644 chre/sepolicy/file_contexts create mode 100644 chre/sepolicy/hal_contexthub_default.te diff --git a/chre/README.txt b/chre/README.txt new file mode 100644 index 0000000..3bdea2b --- /dev/null +++ b/chre/README.txt @@ -0,0 +1,5 @@ +This folder contains the common settings for CHRE shared by various platforms. + +Dependencies among types can happen. For example, hal_contexthub_default +depends on sysfs_aoc at the moment. When setting up a device with CHRE +we should make sure rules of dependent types are included too. diff --git a/chre/hal.mk b/chre/hal.mk new file mode 100644 index 0000000..13ebb7f --- /dev/null +++ b/chre/hal.mk @@ -0,0 +1,2 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/chre/sepolicy/ +PRODUCT_PACKAGES += android.hardware.contexthub-service.generic \ No newline at end of file diff --git a/chre/sepolicy/file_contexts b/chre/sepolicy/file_contexts new file mode 100644 index 0000000..0659579 --- /dev/null +++ b/chre/sepolicy/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 diff --git a/chre/sepolicy/hal_contexthub_default.te b/chre/sepolicy/hal_contexthub_default.te new file mode 100644 index 0000000..de5ca64 --- /dev/null +++ b/chre/sepolicy/hal_contexthub_default.te @@ -0,0 +1,29 @@ +# Allow context hub HAL to communicate with daemon via socket +unix_socket_connect(hal_contexthub_default, chre, chre) + +# Permit communication with AoC +allow hal_contexthub_default aoc_device:chr_file rw_file_perms; + +# Allow context hub HAL to determine AoC's current clock +allow hal_contexthub_default sysfs_aoc:dir search; +allow hal_contexthub_default sysfs_aoc_boottime:file r_file_perms; + +# Allow context hub HAL to create thread to watch AOC's device +allow hal_contexthub_default aoc_device:dir r_dir_perms; + +# Allow context hub HAL to use the USF low latency transport +usf_low_latency_transport(hal_contexthub_default) + +# Allow context hub HAL to talk to the WiFi HAL +binder_call(hal_contexthub_default, hal_wifi_ext) +allow hal_contexthub_default hal_wifi_ext_service:service_manager find; + +# Allow context hub HAL to talk to stats service +binder_call(hal_contexthub_default, stats_service_server) +allow hal_contexthub_default fwk_stats_service:service_manager find; + +# Allow context hub HAL to use WakeLock +wakelock_use(hal_contexthub_default) + +# Allow context hub HAL to block suspend, which is required to use EPOLLWAKEUP +allow hal_contexthub_default self:global_capability2_class_set block_suspend;