private/technical_debt.cil

; THIS IS A WORKAROUND for the current limitations of the module policy language
; This should be used sparingly until we figure out a saner way to achieve the
; stuff below, for example, by improving typeattribute statement of module
; language.
;
; NOTE: This file has no effect on recovery policy.

; Apps, except isolated apps, are clients of Allocator HAL
; Unfortunately, we can't currently express this in module policy language:
;     typeattribute { appdomain -isolated_app_all } hal_allocator_client;
;     typeattribute hal_allocator_client halclientdomain;
(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app_all))))))
(typeattributeset halclientdomain (hal_allocator_client))

; Apps, except isolated apps, are clients of OMX-related services
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))

; Apps, except isolated apps, are clients of Codec2-related services
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))

; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))

; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
;     typeattribute { appdomain -isolated_app_all } hal_configstore_client;
(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app_all))))))

; Apps, except isolated apps, are clients of Graphics Allocator HAL
; Unfortunately, we can't currently express this in module policy language:
;     typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))

; Apps, except isolated apps, are clients of Cas HAL
; Unfortunately, we can't currently express this in module policy language:
;     typeattribute { appdomain -isolated_app_all } hal_cas_client;
(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app_all))))))

; Domains hosting Camera HAL implementations are clients of Allocator HAL
; Unfortunately, we can't currently express this in module policy language:
;     typeattribute hal_camera hal_allocator_client;
(typeattributeset hal_allocator_client (hal_camera))

; Apps, except isolated apps, are clients of Neuralnetworks HAL
; Unfortunately, we can't currently express this in module policy language:
;     typeattribute { appdomain -isolated_app_all } hal_neuralnetworks_client;
(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app_all))))))

; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
; Unfortunately, we can't currently express this in module policy language:
;     typeattribute untrusted_app_visible_hwservice untrusted_app_visible_hwservice_violators;
;     typeattribute untrusted_app_visible_halserver untrusted_app_visible_halserver_violators;
(typeattribute untrusted_app_visible_hwservice)
(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
(typeattribute untrusted_app_visible_halserver)
(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))

; Properties having both system_property_type and vendor_property_type are illegal
; Unfortunately, we can't currently express this in module policy language:
;     typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
(typeattribute system_and_vendor_property_type)
(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))