Add policies for Atomic Display Framework
ADF is a modern replacement for fbdev. ADF's device nodes (/dev/adf[X]), interface nodes (/dev/adf-interface[X].[Y]), and overlay engine nodes (/dev/adf-overlay-engine[X].[Y]) are collectively used in similar contexts as fbdev nodes. Vendor HW composers (via SurfaceFlinger) and healthd will need to send R/W ioctls to these nodes to prepare and update the display. Ordinary apps should not talk to ADF directly. Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343 Signed-off-by: Greg Hackmann <ghackmann@google.com>
This commit is contained in:
parent
778520650a
commit
7004789de3
6
app.te
6
app.te
@ -191,8 +191,10 @@ neverallow { appdomain -unconfineddomain } {
|
|||||||
}:chr_file { read write };
|
}:chr_file { read write };
|
||||||
|
|
||||||
# Note: Try expanding list of app domains in the future.
|
# Note: Try expanding list of app domains in the future.
|
||||||
neverallow { untrusted_app isolated_app shell -unconfineddomain }
|
neverallow { untrusted_app isolated_app shell -unconfineddomain } {
|
||||||
graphics_device:chr_file { read write };
|
adf_device
|
||||||
|
graphics_device
|
||||||
|
}:chr_file { read write };
|
||||||
|
|
||||||
neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
|
neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
|
||||||
{ read write };
|
{ read write };
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
type device, dev_type, fs_type;
|
type device, dev_type, fs_type;
|
||||||
type alarm_device, dev_type, mlstrustedobject;
|
type alarm_device, dev_type, mlstrustedobject;
|
||||||
type adb_device, dev_type;
|
type adb_device, dev_type;
|
||||||
|
type adf_device, dev_type;
|
||||||
type ashmem_device, dev_type, mlstrustedobject;
|
type ashmem_device, dev_type, mlstrustedobject;
|
||||||
type audio_device, dev_type;
|
type audio_device, dev_type;
|
||||||
type binder_device, dev_type, mlstrustedobject;
|
type binder_device, dev_type, mlstrustedobject;
|
||||||
|
@ -31,6 +31,9 @@
|
|||||||
/dev(/.*)? u:object_r:device:s0
|
/dev(/.*)? u:object_r:device:s0
|
||||||
/dev/akm8973.* u:object_r:sensors_device:s0
|
/dev/akm8973.* u:object_r:sensors_device:s0
|
||||||
/dev/accelerometer u:object_r:sensors_device:s0
|
/dev/accelerometer u:object_r:sensors_device:s0
|
||||||
|
/dev/adf[0-9]* u:object_r:adf_device:s0
|
||||||
|
/dev/adf-interface[0-9]*\.[0-9]* u:object_r:adf_device:s0
|
||||||
|
/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:adf_device:s0
|
||||||
/dev/alarm u:object_r:alarm_device:s0
|
/dev/alarm u:object_r:alarm_device:s0
|
||||||
/dev/android_adb.* u:object_r:adb_device:s0
|
/dev/android_adb.* u:object_r:adb_device:s0
|
||||||
/dev/ashmem u:object_r:ashmem_device:s0
|
/dev/ashmem u:object_r:ashmem_device:s0
|
||||||
|
@ -23,6 +23,7 @@ allow healthd sysfs:file write;
|
|||||||
### healthd: charger mode
|
### healthd: charger mode
|
||||||
###
|
###
|
||||||
|
|
||||||
|
allow healthd adf_device:chr_file rw_file_perms;
|
||||||
allow healthd graphics_device:dir r_dir_perms;
|
allow healthd graphics_device:dir r_dir_perms;
|
||||||
allow healthd graphics_device:chr_file rw_file_perms;
|
allow healthd graphics_device:chr_file rw_file_perms;
|
||||||
allow healthd input_device:dir r_dir_perms;
|
allow healthd input_device:dir r_dir_perms;
|
||||||
|
@ -30,6 +30,9 @@ allow surfaceflinger gpu_device:chr_file rw_file_perms;
|
|||||||
allow surfaceflinger graphics_device:dir search;
|
allow surfaceflinger graphics_device:dir search;
|
||||||
allow surfaceflinger graphics_device:chr_file rw_file_perms;
|
allow surfaceflinger graphics_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
|
# Access ADF device nodes.
|
||||||
|
allow surfaceflinger adf_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
# Access /dev/video1.
|
# Access /dev/video1.
|
||||||
allow surfaceflinger video_device:dir r_dir_perms;
|
allow surfaceflinger video_device:dir r_dir_perms;
|
||||||
allow surfaceflinger video_device:chr_file rw_file_perms;
|
allow surfaceflinger video_device:chr_file rw_file_perms;
|
||||||
|
Loading…
Reference in New Issue
Block a user