Blame - public/hal_cas.te - android_system_sepolicy

blob: fd5d63bb4832e705082ae691aa373cc3ecd3cfd4 [file] [log] [blame]

Dan Cashman	91d398d	2017-09-26 12:58:29 -0700	[diff] [blame^]	1	# HwBinder IPC from client to server, and callbacks
				2	binder_call(hal_cas_client, hal_cas_server)
				3	binder_call(hal_cas_server, hal_cas_client)
				4
				5	add_hwservice(hal_cas_server, hal_cas_hwservice)
				6	allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
				7	allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
				8
				9	# Permit reading device's serial number from system properties
				10	get_prop(hal_cas, serialno_prop)
				11
				12	# Read files already opened under /data
				13	allow hal_cas system_data_file:dir { search getattr };
				14	allow hal_cas system_data_file:file { getattr read };
				15	allow hal_cas system_data_file:lnk_file r_file_perms;
				16
				17	# Read access to pseudo filesystems
				18	r_dir_file(hal_cas, cgroup)
				19	allow hal_cas cgroup:dir { search write };
				20	allow hal_cas cgroup:file w_file_perms;
				21
				22	# Allow access to ion memory allocation device
				23	allow hal_cas ion_device:chr_file rw_file_perms;
				24	allow hal_cas hal_graphics_allocator:fd use;
				25
				26	allow hal_cas tee_device:chr_file rw_file_perms;
				27
				28	###
				29	### neverallow rules
				30	###
				31
				32	# hal_cas should never execute any executable without a
				33	# domain transition
				34	neverallow hal_cas { file_type fs_type }:file execute_no_trans;
				35
				36	# do not allow privileged socket ioctl commands
				37	neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;