Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 6907e39aa4d0d1727269bfa1e407d078f486ae28^! / . / private
commit6907e39aa4d0d1727269bfa1e407d078f486ae28[log] [tgz]
authorDaniel Nicoara <dnicoara@google.com>Tue Mar 14 16:26:17 2017 -0400
committerDaniel Nicoara <dnicoara@google.com>Fri Mar 31 10:25:53 2017 -0400
tree5198474fd3c0eb6891c67b3b1546524d9cfaf474
parentea0a30276dffe5ad33f1b5e72e609ab3e929ca12 [diff]
VR: Add sepolicy for VR HWC service

VR HWC is being split out of VR Window Manager. It creates a HW binder
interface used by SurfaceFlinger which implements the HWComposer HAL and
a regular binder interface which will be used by a system app to receive
the SurfaceFlinger output.

Bug: b/36051907
Test: Ran in permissive mode and ensured no permission errors show in
logcat.

Change-Id: If1360bc8fa339a80100124c4e89e69c64b29d2ae

diff --git a/private/file_contexts b/private/file_contexts
index 6687144..7a52e5c 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -256,6 +256,7 @@
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
+/system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 
 #############################
 # Vendor files

diff --git a/private/service_contexts b/private/service_contexts
index db2e9f6..a65cb01 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -157,6 +157,7 @@
 virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
 vr_window_manager                         u:object_r:vr_window_manager_service:s0
+vr_hwc                                    u:object_r:vr_hwc_service:s0
 vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0
 webviewupdate                             u:object_r:webviewupdate_service:s0

diff --git a/private/system_app.te b/private/system_app.te
index 1e2245f..bab49c1 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -57,7 +57,7 @@
 
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
 
 allow system_app keystore:keystore_key {
     get_state

diff --git a/private/vr_hwc.te b/private/vr_hwc.te
new file mode 100644
index 0000000..51d2420
--- /dev/null
+++ b/private/vr_hwc.te

@@ -0,0 +1,4 @@
+typeattribute vr_hwc coredomain;
+
+# Daemon started by init.
+init_daemon_domain(vr_hwc)