update display sepolicy
Bug: 205073165 Bug: 205656937 Bug: 205779906 Bug: 205904436 Bug: 207062172 Bug: 208721526 Bug: 204718757 Bug: 205904380 Bug: 213133646 test: check avc denied with hal_graphics_composer_default, hbmsvmanager_app Change-Id: I964a62fa6570fd9056b420efae7bf2fcbbe9fc9f
This commit is contained in:
linpeter
TreeHugger Robot
parent
673d412421
commit
72dc78222f
11 changed files with 76 additions and 41 deletions
|
|
@ -42,7 +42,6 @@ dontaudit hal_dumpstate_default sysfs_thermal:file { read };
|
|||
dontaudit hal_dumpstate_default sysfs_wifi:dir { search };
|
||||
dontaudit hal_dumpstate_default sysfs_wifi:file { open };
|
||||
dontaudit hal_dumpstate_default sysfs_wifi:file { read };
|
||||
dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find };
|
||||
dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { open };
|
||||
dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { read };
|
||||
dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans };
|
||||
|
|
|
|||
|
|
@ -1,32 +0,0 @@
|
|||
# b/205073165
|
||||
dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { getattr };
|
||||
dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { map };
|
||||
dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { open };
|
||||
dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { read };
|
||||
# b/205656937
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl };
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { map };
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { open };
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read };
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write };
|
||||
# b/205779906
|
||||
dontaudit hal_graphics_composer_default mnt_vendor_file:dir { search };
|
||||
dontaudit hal_graphics_composer_default persist_file:dir { search };
|
||||
# b/205904436
|
||||
dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { bind };
|
||||
dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { create };
|
||||
dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read };
|
||||
dontaudit hal_graphics_composer_default vndservicemanager:binder { call };
|
||||
dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer };
|
||||
# b/207062172
|
||||
dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
|
||||
dontaudit hal_graphics_composer_default boot_status_prop:file { map };
|
||||
dontaudit hal_graphics_composer_default boot_status_prop:file { open };
|
||||
dontaudit hal_graphics_composer_default boot_status_prop:file { read };
|
||||
dontaudit hal_graphics_composer_default sysfs:file { getattr };
|
||||
dontaudit hal_graphics_composer_default sysfs:file { open };
|
||||
dontaudit hal_graphics_composer_default sysfs:file { read };
|
||||
dontaudit hal_graphics_composer_default sysfs:file { write };
|
||||
# b/208721526
|
||||
dontaudit hal_graphics_composer_default dumpstate:fd { use };
|
||||
dontaudit hal_graphics_composer_default dumpstate:fifo_file { write };
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
# b/204718757
|
||||
dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find };
|
||||
# b/205904380
|
||||
dontaudit hbmsvmanager_app hal_graphics_composer_default:binder { call };
|
||||
|
|
@ -64,6 +64,7 @@ type persist_modem_file, file_type, vendor_persist_type;
|
|||
type persist_sensor_reg_file, file_type, vendor_persist_type;
|
||||
type persist_ss_file, file_type, vendor_persist_type;
|
||||
type persist_uwb_file, file_type, vendor_persist_type;
|
||||
type persist_display_file, file_type, vendor_persist_type;
|
||||
|
||||
# CHRE
|
||||
type chre_socket, file_type;
|
||||
|
|
|
|||
|
|
@ -200,6 +200,7 @@
|
|||
/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
|
||||
/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0
|
||||
/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0
|
||||
/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
|
||||
|
||||
# Extra mount images
|
||||
/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0
|
||||
|
|
|
|||
|
|
@ -60,14 +60,26 @@ genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u
|
|||
|
||||
# Display
|
||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/brightness u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/state u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0
|
||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0
|
||||
genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0
|
||||
|
||||
|
||||
# mediacodec_samsung
|
||||
genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0
|
||||
|
||||
|
|
|
|||
|
|
@ -6,3 +6,6 @@ allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
|
|||
|
||||
allow hal_dumpstate_default sysfs_touch:dir r_dir_perms;
|
||||
allow hal_dumpstate_default sysfs_touch:file rw_file_perms;
|
||||
|
||||
allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
|
||||
binder_call(hal_dumpstate_default, hal_graphics_composer_default);
|
||||
|
|
|
|||
|
|
@ -1,9 +1,49 @@
|
|||
# allow HWC to access power hal
|
||||
hal_client_domain(hal_graphics_composer_default, hal_power)
|
||||
|
||||
# allow HWC to access vendor_displaycolor_service
|
||||
add_service(hal_graphics_composer_default, vendor_displaycolor_service)
|
||||
|
||||
add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
|
||||
|
||||
add_service(hal_graphics_composer_default, hal_pixel_display_service)
|
||||
|
||||
# access sysfs R/W
|
||||
allow hal_graphics_composer_default sysfs_display:dir search;
|
||||
allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
|
||||
|
||||
userdebug_or_eng(`
|
||||
# allow HWC to access vendor log file
|
||||
allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms;
|
||||
allow hal_graphics_composer_default vendor_log_file:file create_file_perms;
|
||||
# For HWC/libdisplaycolor to generate calibration file.
|
||||
allow hal_graphics_composer_default persist_display_file:file create_file_perms;
|
||||
allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
# allow HWC/libdisplaycolor to read calibration data
|
||||
allow hal_graphics_composer_default mnt_vendor_file:dir search;
|
||||
allow hal_graphics_composer_default persist_file:dir search;
|
||||
allow hal_graphics_composer_default persist_display_file:file r_file_perms;
|
||||
allow hal_graphics_composer_default persist_display_file:dir search;
|
||||
|
||||
# allow HWC to r/w backlight
|
||||
allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;
|
||||
allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
|
||||
|
||||
# allow HWC to get vendor_persist_sys_default_prop
|
||||
get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop)
|
||||
|
||||
# allow HWC to get vendor_display_prop
|
||||
get_prop(hal_graphics_composer_default, vendor_display_prop)
|
||||
|
||||
# boot stauts prop
|
||||
get_prop(hal_graphics_composer_default, boot_status_prop);
|
||||
|
||||
# allow HWC to output to dumpstate via pipe fd
|
||||
allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write };
|
||||
allow hal_graphics_composer_default hal_dumpstate_default:fd use;
|
||||
|
||||
# socket / vnd service
|
||||
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
vndbinder_use(hal_graphics_composer_default)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,14 @@
|
|||
type hbmsvmanager_app, domain;
|
||||
|
||||
app_domain(hbmsvmanager_app);
|
||||
|
||||
allow hbmsvmanager_app sysfs_vendor_sched:dir r_dir_perms;
|
||||
allow hbmsvmanager_app sysfs_vendor_sched:file w_file_perms;
|
||||
|
||||
allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
|
||||
binder_call(hbmsvmanager_app, hal_graphics_composer_default)
|
||||
|
||||
# Standard system services
|
||||
allow hbmsvmanager_app app_api_service:service_manager find;
|
||||
|
||||
allow hbmsvmanager_app cameraserver_service:service_manager find;
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ vendor_internal_prop(vendor_gps_prop)
|
|||
vendor_internal_prop(vendor_ro_sys_default_prop)
|
||||
vendor_internal_prop(vendor_persist_sys_default_prop)
|
||||
vendor_internal_prop(vendor_logger_prop)
|
||||
vendor_internal_prop(vendor_display_prop)
|
||||
|
||||
# Fingerprint
|
||||
vendor_internal_prop(vendor_fingerprint_prop)
|
||||
|
|
|
|||
|
|
@ -67,6 +67,9 @@ persist.vendor.se. u:object_r:vendor_secure_element_prop
|
|||
vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0
|
||||
vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0
|
||||
|
||||
# for display
|
||||
ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0
|
||||
|
||||
# Camera
|
||||
vendor.camera. u:object_r:vendor_camera_prop:s0
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue