| Steven Moreland | 7baf725 | 2018-05-25 16:23:37 -0700 | [diff] [blame] | 1 | # applies all permissions to hal_omx NOT hal_omx_server |
| 2 | # since OMX must always be in its own process. |
| 3 | |
| 4 | add_hwservice(hal_omx_server, hal_codec2_hwservice) |
| 5 | add_hwservice(hal_omx_server, hal_omx_hwservice) |
| 6 | |
| 7 | # can route /dev/binder traffic to /dev/vndbinder |
| 8 | vndbinder_use(hal_omx_server) |
| 9 | |
| 10 | binder_call(hal_omx_server, binderservicedomain) |
| 11 | binder_call(hal_omx_server, { appdomain -isolated_app }) |
| 12 | |
| 13 | # Allow hal_omx_server access to composer sync fences |
| 14 | allow hal_omx_server hal_graphics_composer:fd use; |
| 15 | |
| 16 | allow hal_omx_server gpu_device:chr_file rw_file_perms; |
| 17 | allow hal_omx_server video_device:chr_file rw_file_perms; |
| 18 | allow hal_omx_server video_device:dir search; |
| 19 | allow hal_omx_server ion_device:chr_file rw_file_perms; |
| 20 | allow hal_omx_server hal_camera:fd use; |
| 21 | |
| 22 | crash_dump_fallback(hal_omx_server) |
| 23 | |
| 24 | # Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never |
| 25 | # directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge |
| 26 | # between those two: it talks to hal_omx_server via Binder and talks to bufferhubd |
| 27 | # via PDX. Thus, there is no need to use pdx_client macro. |
| 28 | allow hal_omx_server bufferhubd:fd use; |
| 29 | |
| Steven Moreland | 8fc7981 | 2018-05-30 16:43:17 -0700 | [diff] [blame^] | 30 | hal_attribute_hwservice_client(hal_omx, hal_omx_hwservice) |
| 31 | hal_attribute_hwservice_client(hal_omx, hal_codec2_hwservice) |
| 32 | |
| Steven Moreland | 7baf725 | 2018-05-25 16:23:37 -0700 | [diff] [blame] | 33 | allow hal_omx_client hidl_token_hwservice:hwservice_manager find; |
| 34 | |
| 35 | binder_call(hal_omx_client, hal_omx_server) |
| Steven Moreland | 8fc7981 | 2018-05-30 16:43:17 -0700 | [diff] [blame^] | 36 | binder_call(hal_omx_server, hal_omx_client) |
| Steven Moreland | 7baf725 | 2018-05-25 16:23:37 -0700 | [diff] [blame] | 37 | |
| 38 | ### |
| 39 | ### neverallow rules |
| 40 | ### |
| 41 | |
| 42 | # hal_omx_server should never execute any executable without a |
| 43 | # domain transition |
| 44 | neverallow hal_omx_server { file_type fs_type }:file execute_no_trans; |
| 45 | |
| 46 | # The goal of the mediaserver split is to place media processing code into |
| 47 | # restrictive sandboxes with limited responsibilities and thus limited |
| 48 | # permissions. Example: Audioserver is only responsible for controlling audio |
| 49 | # hardware and processing audio content. Cameraserver does the same for camera |
| 50 | # hardware/content. Etc. |
| 51 | # |
| 52 | # Media processing code is inherently risky and thus should have limited |
| 53 | # permissions and be isolated from the rest of the system and network. |
| 54 | # Lengthier explanation here: |
| 55 | # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html |
| 56 | neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *; |