Allow binder calls between composer and powerstats

This will fix some avc denials: * SELinux : avc: denied { find } for pid=508 uid=1000 name=power.stats-vendor scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:hal_power_stats_vendor_service:s0 tclass=service_manager permissive=0 * binder:501_1: type=1400 audit(0.0:30): avc: denied { call } for scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=0 * android.hardwar: type=1400 audit(0.0:10): avc: denied { call } for scontext=u:r:hal_power_stats_default:s0 tcontext=u:r:hal_graphics_composer_default:s0 tclass=binder permissive=0 Bug: 315497129 Test: check no avc denied between composer & powerstats Change-Id: I6033e088d5706a0d2a6f942f983a05e6148764a9
2024-01-31 06:50:31 +08:00 · 2024-01-31 06:50:31 +08:00 · 24ad0c2d7f
commit 24ad0c2d7f
parent 19a720dbe0
2 changed files with 7 additions and 0 deletions
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@ -41,3 +41,7 @@ add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
 allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms;
 allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms;
 allow hal_graphics_composer_default vendor_log_file:dir search;
+
+# allow HWC to access powerstats
+allow hal_graphics_composer_default hal_power_stats_vendor_service:service_manager find;
+binder_call(hal_graphics_composer_default, hal_power_stats_default)
--- a/vendor/hal_power_stats_default.te
+++ b/vendor/hal_power_stats_default.te
@ -18,3 +18,6 @@ allow hal_power_stats_default sysfs_odpm:file rw_file_perms;

 # getStateResidency AIDL callback for Bluetooth HAL
 binder_call(hal_power_stats_default, hal_bluetooth_btlinux)
+
+# getStateResidency AIDL callback for Composer HAL
+binder_call(hal_power_stats_default, hal_graphics_composer_default)