Update SELinux policy for audiohal
Change-Id: Iaa9907ed516c947175a59bf49938c0ee03b4f6d1
This commit is contained in:
parent
f5312f8e81
commit
2ff6b4da73
3
private/android_hardware_audio_2_0_service.te
Normal file
3
private/android_hardware_audio_2_0_service.te
Normal file
@ -0,0 +1,3 @@
|
||||
# type_transition must be private policy the domain_trans rules could stay
|
||||
# public, but conceptually should go with this
|
||||
init_daemon_domain(android_hardware_audio_2_0_service)
|
@ -169,6 +169,7 @@
|
||||
/system/bin/wificond u:object_r:wificond_exec:s0
|
||||
/system/bin/rild u:object_r:rild_exec:s0
|
||||
/system/bin/audioserver u:object_r:audioserver_exec:s0
|
||||
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:android_hardware_audio_2_0_service_exec:s0
|
||||
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
|
||||
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
|
||||
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
|
||||
@ -274,6 +275,7 @@
|
||||
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
|
||||
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
|
||||
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
|
||||
/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
|
||||
/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
|
||||
/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
|
||||
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
|
||||
|
36
public/android_hardware_audio_2_0_service.te
Normal file
36
public/android_hardware_audio_2_0_service.te
Normal file
@ -0,0 +1,36 @@
|
||||
# android_hardware_audio_2_0_service - audio services daemon
|
||||
type android_hardware_audio_2_0_service, domain;
|
||||
type android_hardware_audio_2_0_service_exec, exec_type, file_type;
|
||||
|
||||
hwbinder_use(android_hardware_audio_2_0_service)
|
||||
binder_call(android_hardware_audio_2_0_service, audioserver)
|
||||
|
||||
allow android_hardware_audio_2_0_service ion_device:chr_file r_file_perms;
|
||||
|
||||
allow android_hardware_audio_2_0_service system_file:dir { open read };
|
||||
|
||||
userdebug_or_eng(`
|
||||
# used for pcm capture for debug.
|
||||
allow android_hardware_audio_2_0_service audiohal_data_file:dir create_dir_perms;
|
||||
allow android_hardware_audio_2_0_service audiohal_data_file:file create_file_perms;
|
||||
')
|
||||
|
||||
r_dir_file(android_hardware_audio_2_0_service, proc)
|
||||
allow android_hardware_audio_2_0_service audio_device:dir r_dir_perms;
|
||||
allow android_hardware_audio_2_0_service audio_device:chr_file rw_file_perms;
|
||||
|
||||
# Needed on some devices for playing audio on paired BT device,
|
||||
# but seems appropriate for all devices.
|
||||
unix_socket_connect(android_hardware_audio_2_0_service, bluetooth, bluetooth)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# android_hardware_audio_2_0_service should never execute any executable without
|
||||
# a domain transition
|
||||
neverallow android_hardware_audio_2_0_service { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# android_hardware_audio_2_0_service should never need network access.
|
||||
# Disallow network sockets.
|
||||
neverallow android_hardware_audio_2_0_service domain:{ tcp_socket udp_socket rawip_socket } *;
|
@ -9,6 +9,9 @@ binder_call(audioserver, binderservicedomain)
|
||||
binder_call(audioserver, { appdomain ephemeral_app })
|
||||
binder_service(audioserver)
|
||||
|
||||
hwbinder_use(audioserver)
|
||||
binder_call(audioserver, android_hardware_audio_2_0_service)
|
||||
|
||||
r_dir_file(audioserver, proc)
|
||||
allow audioserver ion_device:chr_file r_file_perms;
|
||||
allow audioserver system_file:dir r_dir_perms;
|
||||
|
@ -142,6 +142,7 @@ type postinstall_file, file_type;
|
||||
# /data/misc subdirectories
|
||||
type adb_keys_file, file_type, data_file_type;
|
||||
type audio_data_file, file_type, data_file_type;
|
||||
type audiohal_data_file, file_type, data_file_type;
|
||||
type audioserver_data_file, file_type, data_file_type;
|
||||
type bluetooth_data_file, file_type, data_file_type;
|
||||
type bluetooth_logs_data_file, file_type, data_file_type;
|
||||
|
Loading…
Reference in New Issue
Block a user