| Tri Vo | bc8dc3a | 2019-05-26 13:17:08 -0700 | [diff] [blame^] | 1 | ; THIS IS A WORKAROUND for the current limitations of the module policy language |
| 2 | ; This should be used sparingly until we figure out a saner way to achieve the |
| 3 | ; stuff below, for example, by improving typeattribute statement of module |
| 4 | ; language. |
| 5 | ; |
| 6 | ; NOTE: This file has no effect on recovery policy. |
| 7 | |
| 8 | ; Apps, except isolated apps, are clients of Allocator HAL |
| 9 | ; Unfortunately, we can't currently express this in module policy language: |
| 10 | ; typeattribute { appdomain -isolated_app } hal_allocator_client; |
| 11 | ; typeattribute hal_allocator_client halclientdomain; |
| 12 | (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app)))))) |
| 13 | (typeattributeset halclientdomain (hal_allocator_client)) |
| 14 | |
| 15 | ; Apps, except isolated apps, are clients of OMX-related services |
| 16 | ; Unfortunately, we can't currently express this in module policy language: |
| 17 | (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app)))))) |
| 18 | |
| 19 | ; Apps, except isolated apps, are clients of Configstore HAL |
| 20 | ; Unfortunately, we can't currently express this in module policy language: |
| 21 | ; typeattribute { appdomain -isolated_app } hal_configstore_client; |
| 22 | (typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app)))))) |
| 23 | |
| 24 | ; Apps, except isolated apps, are clients of Graphics Allocator HAL |
| 25 | ; Unfortunately, we can't currently express this in module policy language: |
| 26 | ; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client; |
| 27 | (typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app)))))) |
| 28 | |
| 29 | ; Apps, except isolated apps, are clients of Cas HAL |
| 30 | ; Unfortunately, we can't currently express this in module policy language: |
| 31 | ; typeattribute { appdomain -isolated_app } hal_cas_client; |
| 32 | (typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app)))))) |
| 33 | |
| 34 | ; Domains hosting Camera HAL implementations are clients of Allocator HAL |
| 35 | ; Unfortunately, we can't currently express this in module policy language: |
| 36 | ; typeattribute hal_camera hal_allocator_client; |
| 37 | (typeattributeset hal_allocator_client (hal_camera)) |
| 38 | |
| 39 | ; Apps, except isolated apps, are clients of Neuralnetworks HAL |
| 40 | ; Unfortunately, we can't currently express this in module policy language: |
| 41 | ; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client; |
| 42 | (typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app)))))) |
| 43 | |
| 44 | ; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes. |
| 45 | ; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators. |
| 46 | ; Unfortunately, we can't currently express this in module policy language: |
| 47 | ; typeattribute untrusted_app_visible_hwservice untrusted_app_visible_hwservice_violators; |
| 48 | ; typeattribute untrusted_app_visible_halserver untrusted_app_visible_halserver_violators; |
| 49 | (typeattribute untrusted_app_visible_hwservice) |
| 50 | (typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice)) |
| 51 | (typeattribute untrusted_app_visible_halserver) |
| 52 | (typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver)) |
| 53 | |
| 54 | ; Apps, except isolated apps, are clients of BufferHub HAL |
| 55 | ; Unfortunately, we can't currently express this in module policy language: |
| 56 | ; typeattribute { appdomain -isolated_app } hal_cas_client; |
| 57 | (typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app)))))) |