hal_graphics_composer_default: add sepolicy for display
Fix avc denied issues. Bug: 260769163 Bug: 261105029 Bug: 261933075 Bug: 261933169 Bug: 262178623 Test: There is no AVC denied log after reboot Change-Id: I291877a0f70f25a43f49a96a2b280be925bb98c5
This commit is contained in:
Lopy Cheng
parent
a0e1ac65e8
commit
7b281b63f2
18 changed files with 73 additions and 97 deletions
|
|
@ -49,7 +49,6 @@ type persist_camera_file, file_type, vendor_persist_type;
|
|||
type persist_sensor_reg_file, file_type, vendor_persist_type;
|
||||
type persist_ss_file, file_type, vendor_persist_type;
|
||||
type persist_uwb_file, file_type, vendor_persist_type;
|
||||
type persist_display_file, file_type, vendor_persist_type;
|
||||
|
||||
# CHRE
|
||||
type chre_socket, file_type;
|
||||
|
|
|
|||
|
|
@ -10,7 +10,6 @@
|
|||
/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0
|
||||
/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0
|
||||
/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0
|
||||
/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0
|
||||
/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0
|
||||
/vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0
|
||||
/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0
|
||||
|
|
@ -125,7 +124,6 @@
|
|||
/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
|
||||
/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0
|
||||
/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0
|
||||
/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
|
||||
|
||||
# Raw HID device
|
||||
/dev/hidraw[0-9]* u:object_r:hidraw_device:s0
|
||||
|
|
|
|||
|
|
@ -79,33 +79,6 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo
|
|||
genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0
|
||||
|
||||
# Display
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19472000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight u:object_r:sysfs_leds:s0
|
||||
genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_name u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/serial_number u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19471000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0
|
||||
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0
|
||||
|
||||
# mediacodec_samsung
|
||||
|
|
|
|||
|
|
@ -1,2 +1 @@
|
|||
type hal_pixel_display_service, service_manager_type, hal_service_type;
|
||||
type hal_uwb_vendor_service, service_manager_type, hal_service_type;
|
||||
|
|
|
|||
|
|
@ -1,2 +1 @@
|
|||
com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0
|
||||
hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
type rls_service, vndservice_manager_type;
|
||||
type vendor_displaycolor_service, vndservice_manager_type;
|
||||
type vendor_surfaceflinger_vndservice, vndservice_manager_type;
|
||||
type eco_service, vndservice_manager_type;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
rlsservice u:object_r:rls_service:s0
|
||||
displaycolor u:object_r:vendor_displaycolor_service:s0
|
||||
Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0
|
||||
media.ecoservice u:object_r:eco_service:s0
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@ dontaudit dumpstate euiccpixel_app:process { signal };
|
|||
dontaudit dumpstate fuse:dir { search };
|
||||
dontaudit dumpstate hal_audio_default:binder { call };
|
||||
dontaudit dumpstate hal_confirmationui_default:binder { call };
|
||||
dontaudit dumpstate hal_graphics_composer_default:binder { call };
|
||||
dontaudit dumpstate hal_health_default:binder { call };
|
||||
dontaudit dumpstate modem_efs_file:dir { getattr };
|
||||
dontaudit dumpstate modem_img_file:dir { getattr };
|
||||
|
|
|
|||
|
|
@ -1,60 +0,0 @@
|
|||
# b/260769163
|
||||
dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read };
|
||||
dontaudit hal_graphics_composer_default hal_power_default:binder { call };
|
||||
dontaudit hal_graphics_composer_default sysfs_leds:dir { search };
|
||||
dontaudit hal_graphics_composer_default sysfs_leds:file { getattr };
|
||||
dontaudit hal_graphics_composer_default sysfs_leds:file { open };
|
||||
dontaudit hal_graphics_composer_default sysfs_leds:file { read };
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl };
|
||||
# b/260921736
|
||||
dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read };
|
||||
dontaudit hal_graphics_composer_default hal_power_default:binder { call };
|
||||
dontaudit hal_graphics_composer_default sysfs_leds:dir { search };
|
||||
dontaudit hal_graphics_composer_default sysfs_leds:file { getattr };
|
||||
dontaudit hal_graphics_composer_default sysfs_leds:file { open };
|
||||
dontaudit hal_graphics_composer_default sysfs_leds:file { read };
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl };
|
||||
# b/261105029
|
||||
dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
|
||||
dontaudit hal_graphics_composer_default boot_status_prop:file { map };
|
||||
dontaudit hal_graphics_composer_default boot_status_prop:file { open };
|
||||
dontaudit hal_graphics_composer_default boot_status_prop:file { read };
|
||||
dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { getattr };
|
||||
dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { map };
|
||||
dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { open };
|
||||
dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { read };
|
||||
dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { bind };
|
||||
dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { create };
|
||||
dontaudit hal_graphics_composer_default hal_pixel_display_service:service_manager { add };
|
||||
dontaudit hal_graphics_composer_default hal_power_service:service_manager { find };
|
||||
dontaudit hal_graphics_composer_default mnt_vendor_file:dir { search };
|
||||
dontaudit hal_graphics_composer_default persist_display_file:dir { search };
|
||||
dontaudit hal_graphics_composer_default persist_display_file:file { getattr };
|
||||
dontaudit hal_graphics_composer_default persist_display_file:file { open };
|
||||
dontaudit hal_graphics_composer_default persist_display_file:file { read };
|
||||
dontaudit hal_graphics_composer_default persist_file:dir { search };
|
||||
dontaudit hal_graphics_composer_default sysfs_display:file { getattr };
|
||||
dontaudit hal_graphics_composer_default sysfs_display:file { open };
|
||||
dontaudit hal_graphics_composer_default sysfs_display:file { read };
|
||||
dontaudit hal_graphics_composer_default sysfs_display:file { write };
|
||||
dontaudit hal_graphics_composer_default sysfs_leds:file { write };
|
||||
dontaudit hal_graphics_composer_default vendor_display_prop:file { getattr };
|
||||
dontaudit hal_graphics_composer_default vendor_display_prop:file { map };
|
||||
dontaudit hal_graphics_composer_default vendor_display_prop:file { open };
|
||||
dontaudit hal_graphics_composer_default vendor_display_prop:file { read };
|
||||
dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { add };
|
||||
dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { find };
|
||||
dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add };
|
||||
dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { find };
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { map };
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { open };
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read };
|
||||
dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write };
|
||||
dontaudit hal_graphics_composer_default vndservicemanager:binder { call };
|
||||
dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer };
|
||||
# b/261933075
|
||||
dontaudit hal_graphics_composer_default dumpstate:fd { use };
|
||||
dontaudit hal_graphics_composer_default dumpstate:fifo_file { write };
|
||||
# b/262178623
|
||||
dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
|
||||
dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };
|
||||
2
vendor/dumpstate.te
vendored
Normal file
2
vendor/dumpstate.te
vendored
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
# allow HWC to output to dumpstate via pipe fd
|
||||
dump_hal(hal_graphics_composer)
|
||||
2
vendor/file.te
vendored
Normal file
2
vendor/file.te
vendored
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
# persist
|
||||
type persist_display_file, file_type, vendor_persist_type;
|
||||
4
vendor/file_contexts
vendored
4
vendor/file_contexts
vendored
|
|
@ -9,10 +9,14 @@
|
|||
/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0
|
||||
/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0
|
||||
/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0
|
||||
/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0
|
||||
|
||||
# Vendor Firmwares
|
||||
/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0
|
||||
|
||||
# persist
|
||||
/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
|
||||
|
||||
# Devices
|
||||
/dev/edgetpu-soc u:object_r:edgetpu_device:s0
|
||||
/dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0
|
||||
|
|
|
|||
18
vendor/genfs_contexts
vendored
18
vendor/genfs_contexts
vendored
|
|
@ -18,6 +18,24 @@ genfscon sysfs /devices/platform/13200000.ufs/host0/target0:0:0/0:0:0: u:object
|
|||
genfscon sysfs /devices/platform/13200000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0
|
||||
genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0
|
||||
|
||||
# Display
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19471000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0
|
||||
genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0
|
||||
|
||||
# wake up nodes
|
||||
genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
|
||||
|
|
|
|||
40
vendor/hal_graphics_composer_default.te
vendored
Normal file
40
vendor/hal_graphics_composer_default.te
vendored
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
# allow HWC to access power hal
|
||||
hal_client_domain(hal_graphics_composer_default, hal_power)
|
||||
|
||||
# access sysfs R/W
|
||||
allow hal_graphics_composer_default sysfs_display:dir search;
|
||||
allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
|
||||
|
||||
# allow HWC to r/w backlight
|
||||
allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;
|
||||
allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
|
||||
|
||||
# socket / vnd service
|
||||
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
vndbinder_use(hal_graphics_composer_default)
|
||||
|
||||
# boot stauts prop
|
||||
get_prop(hal_graphics_composer_default, boot_status_prop);
|
||||
|
||||
# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags
|
||||
get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop)
|
||||
|
||||
add_service(hal_graphics_composer_default, hal_pixel_display_service)
|
||||
|
||||
# allow HWC/libdisplaycolor to read calibration data
|
||||
allow hal_graphics_composer_default mnt_vendor_file:dir search;
|
||||
allow hal_graphics_composer_default persist_file:dir search;
|
||||
allow hal_graphics_composer_default persist_display_file:file r_file_perms;
|
||||
allow hal_graphics_composer_default persist_display_file:dir search;
|
||||
|
||||
# allow HWC to get/set vendor_display_prop
|
||||
set_prop(hal_graphics_composer_default, vendor_display_prop)
|
||||
|
||||
# allow HWC to access vendor_displaycolor_service
|
||||
add_service(hal_graphics_composer_default, vendor_displaycolor_service)
|
||||
|
||||
add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
|
||||
|
||||
# allow HWC to output to dumpstate via pipe fd
|
||||
allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write };
|
||||
allow hal_graphics_composer_default hal_dumpstate_default:fd use;
|
||||
1
vendor/service.te
vendored
Normal file
1
vendor/service.te
vendored
Normal file
|
|
@ -0,0 +1 @@
|
|||
type hal_pixel_display_service, service_manager_type, hal_service_type;
|
||||
1
vendor/service_contexts
vendored
Normal file
1
vendor/service_contexts
vendored
Normal file
|
|
@ -0,0 +1 @@
|
|||
com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0
|
||||
3
vendor/vndservice.te
vendored
3
vendor/vndservice.te
vendored
|
|
@ -1 +1,4 @@
|
|||
type hal_power_stats_vendor_service, vndservice_manager_type;
|
||||
|
||||
type vendor_displaycolor_service, vndservice_manager_type;
|
||||
type vendor_surfaceflinger_vndservice, vndservice_manager_type;
|
||||
|
|
|
|||
2
vendor/vndservice_contexts
vendored
Normal file
2
vendor/vndservice_contexts
vendored
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
displaycolor u:object_r:vendor_displaycolor_service:s0
|
||||
Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0
|
||||
Loading…
Add table
Add a link
Reference in a new issue