blob: e60e2a3f2ab3c1a653dd1d7ce2cb7ea3b7c975eb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
# Allow use of USB devices, gralloc buffers, and surface flinger
hal_client_domain(hal_evs_default, hal_graphics_allocator);
hal_client_domain(hal_evs_default, hal_graphics_composer)
# Allow the driver to access EGL
allow hal_evs_default gpu_device:chr_file rw_file_perms;
allow hal_evs_default gpu_device:dir search;
# Allow the driver to use SurfaceFlinger
binder_call(hal_evs_default, surfaceflinger);
allow hal_evs_default surfaceflinger_service:service_manager find;
allow hal_evs_default ion_device:chr_file r_file_perms;
# Allow the driver to use automotive display proxy service
binder_call(hal_evs_default, automotive_display_service_server);
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
# TODO(b/289381868): Remove below line when a vendor process can initialize
# EGL without violating selinux rules.
dontaudit hal_evs_default system_prop:file read;
# Allow to access graphics related properties
get_prop(hal_evs_default, graphics_config_writable_prop)
# allow to use binder IPC.
binder_use(hal_evs_default)
# Allow the driver to access vendor files
allow hal_evs_default vendor_data_file:file r_file_perms;
# Allow to access default property.
# get_prop(hal_evs_default, default_prop) triggers neverallow checks.
# Known issue (b/322843384).
dontaudit hal_evs_default default_prop:file read;
# Allow to access /dev/dma_heap/system
allow hal_evs_default dmabuf_system_heap_device:chr_file r_file_perms;
# Allow to use the media extractor.
allow hal_evs_default mediaextractor_service:service_manager find;
allow hal_evs_default mediaserver_service:service_manager find;
binder_call(hal_evs_default, mediaextractor)
binder_call(hal_evs_default, mediaserver)
# Allow to use OMX service.
hal_client_domain(hal_evs_default, hal_omx)
hal_client_domain(hal_evs_default, hal_codec2)
|
