commit 6b92b30e7ba8ba050bc4e2424f2781f92587bb08
author Bruce Po <brucepo@google.com> Tue Dec 26 23:27:00 2023 +0000
committer Bruce Po <brucepo@google.com> Mon Jan 08 17:57:03 2024 +0000
tree a48524ae01a5f7263755b2d1d5260c1e7ef1c77d
parent 29e115e63ed14d02caf3f86b29b1c50cd41f92c9

selinux: New aocx service

Add new aocxd server domain
- Allow aocxd to access AOC resources
- Add new aocx binder vendor service

Allow audio hal to find and talk to aocx

avc error tcontext=u:object_r:binder_device:s0 tclass=chr_file or tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file

avc:  denied  { add } for pid=1073 uid=0 name=aocx.IAocx scontext=u:r:aocxd:s0 tcontext=u:object_r:aocx:s0 tclass=service_manager

avc:  denied  { call } for  scontext=u:r:hal_audio_default:s0 tcontext=u:r:aocxd:s0 tclass=binder

BUG: 315853303
Change-Id: Ide16a2be9f032bef60f43d4d3daa6372ae06b057

aoc/sepolicy/aocxd.te

diff --git a/aoc/sepolicy/aocxd.te b/aoc/sepolicy/aocxd.te
new file mode 100644
index 0000000..bd9396f
--- /dev/null
+++ b/aoc/sepolicy/aocxd.te
@@ -0,0 +1,25 @@
+# aocxd server domain
+type aocxd, domain;
+type aocxd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(aocxd)
+
+# sysfs operations
+allow aocxd sysfs_aoc:dir search;
+
+# dev operations
+allow aocxd aoc_device:chr_file rw_file_perms;
+
+# allow inotify to watch for additions/removals from /dev
+allow aocxd device:dir r_dir_perms;
+
+# set properties
+set_prop(aocxd, vendor_aoc_prop);
+
+# allow binder access
+vndbinder_use(aocxd);
+
+# allow managing wakelocks
+wakelock_use(aocxd);
+
+# add aocx service to the domain
+add_service(aocxd, aocx);