diff options
Diffstat (limited to 'prebuilts/api/32.0/public/hal_cas.te')
| -rw-r--r-- | prebuilts/api/32.0/public/hal_cas.te | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/public/hal_cas.te b/prebuilts/api/32.0/public/hal_cas.te new file mode 100644 index 000000000..e699a6bac --- /dev/null +++ b/prebuilts/api/32.0/public/hal_cas.te @@ -0,0 +1,38 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_cas_client, hal_cas_server) +binder_call(hal_cas_server, hal_cas_client) + +hal_attribute_hwservice(hal_cas, hal_cas_hwservice) +allow hal_cas_server hidl_memory_hwservice:hwservice_manager find; + +# Permit reading device's serial number from system properties +get_prop(hal_cas_server, serialno_prop) + +# Read files already opened under /data +allow hal_cas system_data_file:file { getattr read }; + +# Read access to pseudo filesystems +r_dir_file(hal_cas, cgroup) +allow hal_cas cgroup:dir { search write }; +allow hal_cas cgroup:file w_file_perms; + +r_dir_file(hal_cas, cgroup_v2) +allow hal_cas cgroup_v2:dir { search write }; +allow hal_cas cgroup_v2:file w_file_perms; + +# Allow access to ion memory allocation device +allow hal_cas ion_device:chr_file rw_file_perms; +allow hal_cas hal_graphics_allocator:fd use; + +allow hal_cas tee_device:chr_file rw_file_perms; + +### +### neverallow rules +### + +# hal_cas should never execute any executable without a +# domain transition +neverallow hal_cas_server { file_type fs_type }:file execute_no_trans; + +# do not allow privileged socket ioctl commands +neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; |