update display sepolicy
Bug: 205073165 Bug: 205656937 Bug: 205779906 Bug: 205904436 Bug: 207062172 Bug: 208721526 Bug: 204718757 Bug: 205904380 Bug: 213133646 test: check avc denied with hal_graphics_composer_default, hbmsvmanager_app Change-Id: I964a62fa6570fd9056b420efae7bf2fcbbe9fc9f
This commit is contained in:
linpeter
TreeHugger Robot
parent
673d412421
commit
72dc78222f
11 changed files with 76 additions and 41 deletions
|
|
@ -42,7 +42,6 @@ dontaudit hal_dumpstate_default sysfs_thermal:file { read };
|
||||||
dontaudit hal_dumpstate_default sysfs_wifi:dir { search };
|
dontaudit hal_dumpstate_default sysfs_wifi:dir { search };
|
||||||
dontaudit hal_dumpstate_default sysfs_wifi:file { open };
|
dontaudit hal_dumpstate_default sysfs_wifi:file { open };
|
||||||
dontaudit hal_dumpstate_default sysfs_wifi:file { read };
|
dontaudit hal_dumpstate_default sysfs_wifi:file { read };
|
||||||
dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find };
|
|
||||||
dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { open };
|
dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { open };
|
||||||
dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { read };
|
dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { read };
|
||||||
dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans };
|
dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans };
|
||||||
|
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
||||||
# b/205073165
|
|
||||||
dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { getattr };
|
|
||||||
dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { map };
|
|
||||||
dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { open };
|
|
||||||
dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { read };
|
|
||||||
# b/205656937
|
|
||||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl };
|
|
||||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { map };
|
|
||||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { open };
|
|
||||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read };
|
|
||||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write };
|
|
||||||
# b/205779906
|
|
||||||
dontaudit hal_graphics_composer_default mnt_vendor_file:dir { search };
|
|
||||||
dontaudit hal_graphics_composer_default persist_file:dir { search };
|
|
||||||
# b/205904436
|
|
||||||
dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { bind };
|
|
||||||
dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { create };
|
|
||||||
dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read };
|
|
||||||
dontaudit hal_graphics_composer_default vndservicemanager:binder { call };
|
|
||||||
dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer };
|
|
||||||
# b/207062172
|
|
||||||
dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
|
|
||||||
dontaudit hal_graphics_composer_default boot_status_prop:file { map };
|
|
||||||
dontaudit hal_graphics_composer_default boot_status_prop:file { open };
|
|
||||||
dontaudit hal_graphics_composer_default boot_status_prop:file { read };
|
|
||||||
dontaudit hal_graphics_composer_default sysfs:file { getattr };
|
|
||||||
dontaudit hal_graphics_composer_default sysfs:file { open };
|
|
||||||
dontaudit hal_graphics_composer_default sysfs:file { read };
|
|
||||||
dontaudit hal_graphics_composer_default sysfs:file { write };
|
|
||||||
# b/208721526
|
|
||||||
dontaudit hal_graphics_composer_default dumpstate:fd { use };
|
|
||||||
dontaudit hal_graphics_composer_default dumpstate:fifo_file { write };
|
|
||||||
|
|
@ -1,4 +0,0 @@
|
||||||
# b/204718757
|
|
||||||
dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find };
|
|
||||||
# b/205904380
|
|
||||||
dontaudit hbmsvmanager_app hal_graphics_composer_default:binder { call };
|
|
||||||
|
|
@ -64,6 +64,7 @@ type persist_modem_file, file_type, vendor_persist_type;
|
||||||
type persist_sensor_reg_file, file_type, vendor_persist_type;
|
type persist_sensor_reg_file, file_type, vendor_persist_type;
|
||||||
type persist_ss_file, file_type, vendor_persist_type;
|
type persist_ss_file, file_type, vendor_persist_type;
|
||||||
type persist_uwb_file, file_type, vendor_persist_type;
|
type persist_uwb_file, file_type, vendor_persist_type;
|
||||||
|
type persist_display_file, file_type, vendor_persist_type;
|
||||||
|
|
||||||
# CHRE
|
# CHRE
|
||||||
type chre_socket, file_type;
|
type chre_socket, file_type;
|
||||||
|
|
|
||||||
|
|
@ -200,6 +200,7 @@
|
||||||
/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
|
/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
|
||||||
/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0
|
/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0
|
||||||
/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0
|
/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0
|
||||||
|
/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
|
||||||
|
|
||||||
# Extra mount images
|
# Extra mount images
|
||||||
/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0
|
/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0
|
||||||
|
|
|
||||||
|
|
@ -60,14 +60,26 @@ genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u
|
||||||
|
|
||||||
# Display
|
# Display
|
||||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0
|
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0
|
||||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_display:s0
|
|
||||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/brightness u:object_r:sysfs_display:s0
|
|
||||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_display:s0
|
|
||||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/state u:object_r:sysfs_display:s0
|
|
||||||
genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0
|
genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0
|
||||||
genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
|
genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
|
||||||
genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
|
genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
|
||||||
|
|
||||||
|
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0
|
||||||
|
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0
|
||||||
|
genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0
|
||||||
|
|
||||||
|
genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0
|
||||||
|
genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0
|
||||||
|
genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0
|
||||||
|
|
||||||
|
genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0
|
||||||
|
genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0
|
||||||
|
|
||||||
|
genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0
|
||||||
|
|
||||||
|
genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0
|
||||||
|
|
||||||
|
|
||||||
# mediacodec_samsung
|
# mediacodec_samsung
|
||||||
genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0
|
genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -6,3 +6,6 @@ allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
|
||||||
|
|
||||||
allow hal_dumpstate_default sysfs_touch:dir r_dir_perms;
|
allow hal_dumpstate_default sysfs_touch:dir r_dir_perms;
|
||||||
allow hal_dumpstate_default sysfs_touch:file rw_file_perms;
|
allow hal_dumpstate_default sysfs_touch:file rw_file_perms;
|
||||||
|
|
||||||
|
allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
|
||||||
|
binder_call(hal_dumpstate_default, hal_graphics_composer_default);
|
||||||
|
|
|
||||||
|
|
@ -1,9 +1,49 @@
|
||||||
|
# allow HWC to access power hal
|
||||||
hal_client_domain(hal_graphics_composer_default, hal_power)
|
hal_client_domain(hal_graphics_composer_default, hal_power)
|
||||||
|
|
||||||
# allow HWC to access vendor_displaycolor_service
|
# allow HWC to access vendor_displaycolor_service
|
||||||
add_service(hal_graphics_composer_default, vendor_displaycolor_service)
|
add_service(hal_graphics_composer_default, vendor_displaycolor_service)
|
||||||
|
|
||||||
add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
|
add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
|
||||||
|
|
||||||
add_service(hal_graphics_composer_default, hal_pixel_display_service)
|
add_service(hal_graphics_composer_default, hal_pixel_display_service)
|
||||||
|
|
||||||
|
# access sysfs R/W
|
||||||
allow hal_graphics_composer_default sysfs_display:dir search;
|
allow hal_graphics_composer_default sysfs_display:dir search;
|
||||||
allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
|
allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
|
||||||
|
|
||||||
|
userdebug_or_eng(`
|
||||||
|
# allow HWC to access vendor log file
|
||||||
|
allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms;
|
||||||
|
allow hal_graphics_composer_default vendor_log_file:file create_file_perms;
|
||||||
|
# For HWC/libdisplaycolor to generate calibration file.
|
||||||
|
allow hal_graphics_composer_default persist_display_file:file create_file_perms;
|
||||||
|
allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
# allow HWC/libdisplaycolor to read calibration data
|
||||||
|
allow hal_graphics_composer_default mnt_vendor_file:dir search;
|
||||||
|
allow hal_graphics_composer_default persist_file:dir search;
|
||||||
|
allow hal_graphics_composer_default persist_display_file:file r_file_perms;
|
||||||
|
allow hal_graphics_composer_default persist_display_file:dir search;
|
||||||
|
|
||||||
|
# allow HWC to r/w backlight
|
||||||
|
allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;
|
||||||
|
allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
|
||||||
|
|
||||||
|
# allow HWC to get vendor_persist_sys_default_prop
|
||||||
|
get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop)
|
||||||
|
|
||||||
|
# allow HWC to get vendor_display_prop
|
||||||
|
get_prop(hal_graphics_composer_default, vendor_display_prop)
|
||||||
|
|
||||||
|
# boot stauts prop
|
||||||
|
get_prop(hal_graphics_composer_default, boot_status_prop);
|
||||||
|
|
||||||
|
# allow HWC to output to dumpstate via pipe fd
|
||||||
|
allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write };
|
||||||
|
allow hal_graphics_composer_default hal_dumpstate_default:fd use;
|
||||||
|
|
||||||
|
# socket / vnd service
|
||||||
|
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||||
|
vndbinder_use(hal_graphics_composer_default)
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,14 @@
|
||||||
type hbmsvmanager_app, domain;
|
type hbmsvmanager_app, domain;
|
||||||
|
|
||||||
app_domain(hbmsvmanager_app);
|
app_domain(hbmsvmanager_app);
|
||||||
|
|
||||||
|
allow hbmsvmanager_app sysfs_vendor_sched:dir r_dir_perms;
|
||||||
|
allow hbmsvmanager_app sysfs_vendor_sched:file w_file_perms;
|
||||||
|
|
||||||
|
allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
|
||||||
|
binder_call(hbmsvmanager_app, hal_graphics_composer_default)
|
||||||
|
|
||||||
|
# Standard system services
|
||||||
allow hbmsvmanager_app app_api_service:service_manager find;
|
allow hbmsvmanager_app app_api_service:service_manager find;
|
||||||
|
|
||||||
|
allow hbmsvmanager_app cameraserver_service:service_manager find;
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@ vendor_internal_prop(vendor_gps_prop)
|
||||||
vendor_internal_prop(vendor_ro_sys_default_prop)
|
vendor_internal_prop(vendor_ro_sys_default_prop)
|
||||||
vendor_internal_prop(vendor_persist_sys_default_prop)
|
vendor_internal_prop(vendor_persist_sys_default_prop)
|
||||||
vendor_internal_prop(vendor_logger_prop)
|
vendor_internal_prop(vendor_logger_prop)
|
||||||
|
vendor_internal_prop(vendor_display_prop)
|
||||||
|
|
||||||
# Fingerprint
|
# Fingerprint
|
||||||
vendor_internal_prop(vendor_fingerprint_prop)
|
vendor_internal_prop(vendor_fingerprint_prop)
|
||||||
|
|
|
||||||
|
|
@ -67,6 +67,9 @@ persist.vendor.se. u:object_r:vendor_secure_element_prop
|
||||||
vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0
|
vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0
|
||||||
vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0
|
vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0
|
||||||
|
|
||||||
|
# for display
|
||||||
|
ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0
|
||||||
|
|
||||||
# Camera
|
# Camera
|
||||||
vendor.camera. u:object_r:vendor_camera_prop:s0
|
vendor.camera. u:object_r:vendor_camera_prop:s0
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue