same_process_hal_file: access to individual coredomains Remove blanket coredomain access to same_process_hal_file in favor of granular access. This change takes into account audits from go/sedenials (our internal dogfood program) Bug: 37211678 Test: m selinux_policy Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5

commit: 90cf5a7fb34e586ac1676f3f8fc66b64bfebf8a7 [log] [tgz]
author: Tri Vo <trong@google.com> Thu Oct 18 12:39:35 2018 -0700
committer: Tri Vo <trong@google.com> Fri Oct 26 18:03:01 2018 +0000
tree: 0899ce76271ce1f1d6d4c09955f6b38e935b507a
parent: 564eb9d6d679cac9a865ffd11178dc81c2a211cc [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 048e5b2..42a89d4 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -234,6 +234,7 @@
 
 # Use RenderScript always-passthrough HAL
 allow system_server hal_renderscript_hwservice:hwservice_manager find;
+allow system_server same_process_hal_file:file { execute read open getattr map };
 
 # Offer HwBinder services
 add_hwservice(system_server, fwk_scheduler_hwservice)
commit	90cf5a7fb34e586ac1676f3f8fc66b64bfebf8a7	[log] [tgz]
author	Tri Vo <trong@google.com>	Thu Oct 18 12:39:35 2018 -0700
committer	Tri Vo <trong@google.com>	Fri Oct 26 18:03:01 2018 +0000
tree	0899ce76271ce1f1d6d4c09955f6b38e935b507a
parent	564eb9d6d679cac9a865ffd11178dc81c2a211cc [diff] [blame]