Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 75806ef3c529c019ab002072cca7951b91f245aa^! / . / private / bootanim.te
commit75806ef3c529c019ab002072cca7951b91f245aa[log] [tgz]
authorInseob Kim <inseob@google.com>Wed Mar 27 17:18:41 2024 +0900
committerInseob Kim <inseob@google.com>Thu Mar 28 00:33:46 2024 +0000
treecbd0c46779774cd09f127c0e20144c39dff08dca
parente98c6d2b38114e0819a558ef5e0d2793a30eebff [diff] [blame]
Minimize public policy

Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12

diff --git a/private/bootanim.te b/private/bootanim.te
index f63a230..d9be72f 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te

@@ -21,3 +21,46 @@
 
 # Allow accessing vendor apex for EGL/GLES
 allow bootanim vendor_apex_metadata_file:dir r_dir_perms;
+
+hal_client_domain(bootanim, hal_configstore)
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
+
+binder_use(bootanim)
+binder_call(bootanim, surfaceflinger)
+binder_call(bootanim, audioserver)
+
+hwbinder_use(bootanim)
+
+allow bootanim gpu_device:chr_file rw_file_perms;
+allow bootanim gpu_device:dir r_dir_perms;
+allow bootanim sysfs_gpu:file r_file_perms;
+
+# /oem access
+allow bootanim oemfs:dir r_dir_perms;
+# boot animations on oem are stored with specific label
+allow bootanim bootanim_oem_file:file r_file_perms;
+
+allow bootanim audio_device:dir r_dir_perms;
+allow bootanim audio_device:chr_file rw_file_perms;
+
+allow bootanim audioserver_service:service_manager find;
+allow bootanim surfaceflinger_service:service_manager find;
+allow bootanim surfaceflinger:unix_stream_socket { read write };
+
+# Allow access to ion memory allocation device
+allow bootanim ion_device:chr_file rw_file_perms;
+
+# Allow access to DMA-BUF system heap
+allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
+
+allow bootanim hal_graphics_allocator:fd use;
+
+# Fences
+allow bootanim hal_graphics_composer:fd use;
+
+# Read access to pseudo filesystems.
+allow bootanim proc_meminfo:file r_file_perms;
+
+# System file accesses.
+allow bootanim system_file:dir r_dir_perms;