Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 75806ef3c529c019ab002072cca7951b91f245aa^! / . / private / audioserver.te
commit75806ef3c529c019ab002072cca7951b91f245aa[log] [tgz]
authorInseob Kim <inseob@google.com>Wed Mar 27 17:18:41 2024 +0900
committerInseob Kim <inseob@google.com>Thu Mar 28 00:33:46 2024 +0000
treecbd0c46779774cd09f127c0e20144c39dff08dca
parente98c6d2b38114e0819a558ef5e0d2793a30eebff [diff] [blame]
Minimize public policy

Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12

diff --git a/private/audioserver.te b/private/audioserver.te
index 74d5e88..54e0208 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te

@@ -1,8 +1,7 @@
 # audioserver - audio services daemon
-
+type audioserver_exec, exec_type, file_type, system_file_type;
 typeattribute audioserver coredomain;
 
-type audioserver_exec, exec_type, file_type, system_file_type;
 init_daemon_domain(audioserver)
 tmpfs_domain(audioserver)
 
@@ -79,6 +78,20 @@
 # Allow write access to log tag property
 set_prop(audioserver, log_tag_prop);
 
+# Allow audioserver to signal audio HAL processes and dump their stacks.
+allow audioserver hal_audio_server:process signal;
+
+# Allow audioserver to access sensorservice.
+allow audioserver sensorservice_service:service_manager find;
+allow audioserver system_server:unix_stream_socket { read write };
+
+# Allow using wake locks
+wakelock_use(audioserver)
+
+# Allow reading audio config props, e.g. af.fast_track_multiplier
+get_prop(audioserver, audio_config_prop)
+get_prop(audioserver, system_audio_config_prop)
+
 ###
 ### neverallow rules
 ###
@@ -99,10 +112,3 @@
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow audioserver domain:{ udp_socket rawip_socket } *;
 neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-# Allow using wake locks
-wakelock_use(audioserver)
-
-# Allow reading audio config props, e.g. af.fast_track_multiplier
-get_prop(audioserver, audio_config_prop)
-get_prop(audioserver, system_audio_config_prop)