From fed627115e5b535cf0de38916af99ff1fd6b4994 Mon Sep 17 00:00:00 2001 From: Kai Hsieh Date: Tue, 14 Jan 2025 11:23:04 +0800 Subject: [PATCH] Include GIA only on needed, expose GIA permission only if the target service exists Flag: EXEMPT, bugfix only. Bug: 388685884 Test: Factory, AOSP and Pixel build success. Test: Pixel System Service can access GIA features on Pixel device builds. Test: GIA exists on factory builds. Change-Id: I12f55f1ce1c717da6d6c45edbb92854f7efa53e5 Signed-off-by: Kai Hsieh --- input/gia/gia.mk | 24 +++++++++++++------- input/gia/sepolicy-pixelsystemservice/gia.te | 8 +++++++ input/gia/sepolicy/gia.te | 7 ------ 3 files changed, 24 insertions(+), 15 deletions(-) create mode 100644 input/gia/sepolicy-pixelsystemservice/gia.te diff --git a/input/gia/gia.mk b/input/gia/gia.mk index ea079ca..d46fa96 100644 --- a/input/gia/gia.mk +++ b/input/gia/gia.mk @@ -1,11 +1,19 @@ -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/input/gia/sepolicy +# GIA is not designed for AOSP +ifeq (,$(filter aosp_%, $(TARGET_PRODUCT))) + BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/input/gia/sepolicy -PRODUCT_PACKAGES += gia -PRODUCT_PACKAGES += com.google.input.gia.giaservicemanager + # If Pixel System Service exists, allow it to access GIA + ifeq (,$(filter factory_%, $(TARGET_PRODUCT))) + BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/input/gia/sepolicy-pixelsystemservice + endif -PRODUCT_SOONG_NAMESPACES += vendor/google/interfaces -PRODUCT_SOONG_NAMESPACES += vendor/google/input/gia/core -PRODUCT_SOONG_NAMESPACES += vendor/google/input/gia/core-servicemanager + PRODUCT_PACKAGES += gia + PRODUCT_PACKAGES += com.google.input.gia.giaservicemanager -DEVICE_MANIFEST_FILE += device/google/gs-common/input/gia/aidl/manifest.xml -DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/input/gia/aidl/compatibility_matrix.xml + PRODUCT_SOONG_NAMESPACES += vendor/google/interfaces + PRODUCT_SOONG_NAMESPACES += vendor/google/input/gia/core + PRODUCT_SOONG_NAMESPACES += vendor/google/input/gia/core-servicemanager + + DEVICE_MANIFEST_FILE += device/google/gs-common/input/gia/aidl/manifest.xml + DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/input/gia/aidl/compatibility_matrix.xml +endif diff --git a/input/gia/sepolicy-pixelsystemservice/gia.te b/input/gia/sepolicy-pixelsystemservice/gia.te new file mode 100644 index 0000000..d7313cc --- /dev/null +++ b/input/gia/sepolicy-pixelsystemservice/gia.te @@ -0,0 +1,8 @@ +# SEPolicies to be configured only if and only if Pixel System Service exists on the device + +# allow pixelsystemservice_app to communicate with gia +binder_use(pixelsystemservice_app) +hal_client_domain(pixelsystemservice_app, hal_gia) + +# allow gia to execute callback for pixelsystemservice_app +binder_call(gia, pixelsystemservice_app) diff --git a/input/gia/sepolicy/gia.te b/input/gia/sepolicy/gia.te index a0244d2..2c84e7c 100644 --- a/input/gia/sepolicy/gia.te +++ b/input/gia/sepolicy/gia.te @@ -16,10 +16,3 @@ hal_server_domain(gia, hal_gia) # allow gia for accessing touch related system file-nodes allow gia sysfs_touch_gti:dir r_dir_perms; allow gia sysfs_touch_gti:file rw_file_perms; - -# allow pixelsystemservice_app to communicate with gia -binder_use(pixelsystemservice_app) -hal_client_domain(pixelsystemservice_app, hal_gia) - -# allow gia to execute callback for pixelsystemservice_app -binder_call(gia, pixelsystemservice_app)