c4055f0d04
Specify per-service rules for PDX transport. Now being able to grant permissions to individual services provided by processes, not all services of a process. Also tighter control over which permissions are required for client and server for individual components of IPC (endpoints, channels, etc). Bug: 37646189 Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
21 lines
704 B
Plaintext
21 lines
704 B
Plaintext
# bufferhubd
|
|
type bufferhubd, domain, mlstrustedsubject;
|
|
type bufferhubd_exec, exec_type, file_type;
|
|
|
|
hal_client_domain(bufferhubd, hal_graphics_allocator)
|
|
|
|
pdx_server(bufferhubd, bufferhub_client)
|
|
pdx_client(bufferhubd, performance_client)
|
|
|
|
# Access the GPU.
|
|
allow bufferhubd gpu_device:chr_file rw_file_perms;
|
|
|
|
# Access /dev/ion
|
|
allow bufferhubd ion_device:chr_file r_file_perms;
|
|
|
|
# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
|
|
# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
|
|
# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
|
|
# Thus, there is no need to use pdx_client macro.
|
|
allow bufferhubd mediacodec:fd use;
|