selinux: New aocx service
Add new aocxd server domain
- Allow aocxd to access AOC resources
- Add new aocx binder vendor service
Allow audio hal to find and talk to aocx
avc error tcontext=u:object_r:binder_device:s0 tclass=chr_file or tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file
avc: denied { add } for pid=1073 uid=0 name=aocx.IAocx scontext=u:r:aocxd:s0 tcontext=u:object_r:aocx:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:aocxd:s0 tclass=binder
BUG: 315853303
Change-Id: Ide16a2be9f032bef60f43d4d3daa6372ae06b057
diff --git a/aoc/aoc.mk b/aoc/aoc.mk
index 2eadb08..136bb42 100644
--- a/aoc/aoc.mk
+++ b/aoc/aoc.mk
@@ -1,7 +1,8 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy
PRODUCT_PACKAGES += dump_aoc \
- aocd
+ aocd \
+ aocxd
ifeq (,$(filter aosp_%,$(TARGET_PRODUCT)))
# IAudioMetricExt HIDL
@@ -23,4 +24,5 @@
aocdump \
aocutil \
aoc_audio_cfg \
- vp_util
+ vp_util \
+ aocx_tool
diff --git a/aoc/sepolicy/aocxd.te b/aoc/sepolicy/aocxd.te
new file mode 100644
index 0000000..bd9396f
--- /dev/null
+++ b/aoc/sepolicy/aocxd.te
@@ -0,0 +1,25 @@
+# aocxd server domain
+type aocxd, domain;
+type aocxd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(aocxd)
+
+# sysfs operations
+allow aocxd sysfs_aoc:dir search;
+
+# dev operations
+allow aocxd aoc_device:chr_file rw_file_perms;
+
+# allow inotify to watch for additions/removals from /dev
+allow aocxd device:dir r_dir_perms;
+
+# set properties
+set_prop(aocxd, vendor_aoc_prop);
+
+# allow binder access
+vndbinder_use(aocxd);
+
+# allow managing wakelocks
+wakelock_use(aocxd);
+
+# add aocx service to the domain
+add_service(aocxd, aocx);
diff --git a/aoc/sepolicy/file_contexts b/aoc/sepolicy/file_contexts
index 58edf2f..617b7b9 100644
--- a/aoc/sepolicy/file_contexts
+++ b/aoc/sepolicy/file_contexts
@@ -27,11 +27,13 @@
/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0
/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0
/dev/acd-mel_processor u:object_r:aoc_device:s0
+/dev/acd-aocx_control u:object_r:aoc_device:s0
# AoC vendor binaries
/vendor/bin/aocd u:object_r:aocd_exec:s0
/vendor/bin/aocdump u:object_r:aocdump_exec:s0
/vendor/bin/dump/dump_aoc u:object_r:dump_aoc_exec:s0
+/vendor/bin/aocxd u:object_r:aocxd_exec:s0
# AoC audio files
/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0
diff --git a/aoc/sepolicy/vndservice.te b/aoc/sepolicy/vndservice.te
new file mode 100644
index 0000000..01c2436
--- /dev/null
+++ b/aoc/sepolicy/vndservice.te
@@ -0,0 +1 @@
+type aocx, vndservice_manager_type;
diff --git a/aoc/sepolicy/vndservice_contexts b/aoc/sepolicy/vndservice_contexts
new file mode 100644
index 0000000..de31e51
--- /dev/null
+++ b/aoc/sepolicy/vndservice_contexts
@@ -0,0 +1 @@
+aocx.IAocx u:object_r:aocx:s0