Allow app to conntect to BufferHub service

Bug: 112940221 Test: AHardwareBufferTest Change-Id: I1fd065844e03c7e079dc40b7f7dbb8968f1b00bc
2019-01-04 19:14:07 -08:00 · 2019-01-04 19:14:07 -08:00 · e17b293528
commit e17b293528
parent 2075608582
3 changed files with 7 additions and 1 deletions
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -294,6 +294,7 @@ neverallow all_untrusted_apps {
 neverallow all_untrusted_apps {
  coredomain_hwservice
  -same_process_hwservice
+  -fwk_bufferhub_hwservice # Designed for use by any domain
  -hidl_allocator_hwservice # Designed for use by any domain
  -hidl_manager_hwservice # Designed for use by any domain
  -hidl_memory_hwservice # Designed for use by any domain
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@ -50,3 +50,8 @@
 (typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
 (typeattribute untrusted_app_visible_halserver)
 (typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
+
+; Apps, except isolated apps, are clients of BufferHub HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { appdomain -isolated_app } hal_cas_client;
+(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
--- a/public/fwk_bufferhub.te
+++ b/public/fwk_bufferhub.te
@ -1,4 +1,4 @@
 binder_call(hal_bufferhub_client, hal_bufferhub_server)
 binder_call(hal_bufferhub_server, hal_bufferhub_client)

-add_hwservice(hal_bufferhub_server, fwk_bufferhub_hwservice)
+hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)