Merge "Updated SEPolicy for camera/composer/sensors."

Flohack74 · Apr 29, 2017 · 1f03943 · 1f03943
2 parents 940ef50 + 75573c0
commit 1f03943
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 16 deletions.
diff --git a/sepolicy/hal_camera.te b/sepolicy/hal_camera.te
@@ -29,14 +29,7 @@ r_dir_file(hal_camera, sysfs_type)
 # find libraries
 allow hal_camera system_file:dir r_dir_perms;
 
-# talk over binder to some binder services
-# TODO(b/36569385): Must be moved to HIDL
-binder_use(hal_camera)
-binder_call(hal_camera, binderservicedomain)
-
-allow hal_camera surfaceflinger_service:service_manager find;
-allow hal_camera sensorservice_service:service_manager find;
-allow hal_camera scheduling_policy_service:service_manager find;
+allow hal_camera qdisplay_service:service_manager find;
 
 # talk to system_server
 

diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
@@ -1,6 +1,8 @@
-# TODO(b/36569385): Remove once Camera HAL no longer uses Binder
-typeattribute hal_camera_default binder_in_vendor_violators;
-
 allow hal_camera_default input_device:dir r_dir_perms;
 
 allow hal_camera_default sysfs_laser:file w_file_perms;
+vndbinder_use(hal_camera_default);
+allow hal_camera_default qdisplay_service:service_manager { find };
+
+binder_call(hal_camera_default, hal_graphics_composer)
+binder_call(hal_camera_default, system_server)
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
@@ -1,9 +1,6 @@
 # Binder access (for display.qservice)
-# TODO(35706331): Remove once Graphics Composer HAL stops using Binder
-typeattribute hal_graphics_composer_default binder_in_vendor_violators;
-binder_service(hal_graphics_composer_default)
-binder_use(hal_graphics_composer_default)
-allow hal_graphics_composer_default surfaceflinger_service:service_manager { add find };
+vndbinder_use(hal_graphics_composer_default)
+allow hal_graphics_composer_default qdisplay_service:service_manager { add find };
 
 allow hal_graphics_composer_default sysfs_camera:dir search;
 allow hal_graphics_composer_default sysfs_camera:file r_file_perms;

diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
@@ -5,6 +5,7 @@ allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls;
 binder_call(system_server, per_mgr)
 binder_call(system_server, folio_daemon)
 
+binder_call(system_server, hal_camera_default)
 allow system_server per_mgr_service:service_manager find;
 
 # TODO(b/36613917): Remove this once system_server no longer communicates with netmgrd over sockets.

diff --git a/sepolicy/vndservice.te b/sepolicy/vndservice.te
@@ -0,0 +1 @@
+type qdisplay_service,             vndservice_manager_type;
diff --git a/sepolicy/vndservice_contexts b/sepolicy/vndservice_contexts
@@ -0,0 +1 @@
+display.qservice                        u:object_r:qdisplay_service:s0
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		type qdisplay_service, vndservice_manager_type;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		display.qservice u:object_r:qdisplay_service:s0