diff options
| author | Lei Ju <leiju@google.com> | 2022-12-21 15:58:13 -0800 |
|---|---|---|
| committer | Lei Ju <leiju@google.com> | 2023-11-10 14:18:05 -0800 |
| commit | 89dd17c9ada82787ed7fdf423f3b1736940ca304 (patch) | |
| tree | b035dc53fe903b92d1a351ba9b61233e8aa6d41a | |
| parent | f237b33c72cd025867cb822d547aeb4019400576 (diff) | |
| download | gs101-sepolicy-89dd17c9ada82787ed7fdf423f3b1736940ca304.tar.gz | |
Set up sepolicy for CHRE HAL process
Contexthub (CHRE) team is removing the chre daemon and incorporating
its functionalities into the next gen HAL. This CL copied the
permissions we received in whitechapel/vendor/google/chre.te to
hal_contexthub.te to enable the same set of permissions on gs101.
Bug: 247124878
Test: launch the hal process on oriole and verify it can perform
required operations such as loading nanoapps holding wakelocks,
query nanoapps, etc.
Change-Id: I8ce6b4f7f411e50cf454bb5f1286f73d4d46aced
| -rw-r--r-- | whitechapel/vendor/google/hal_contexthub.te | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/whitechapel/vendor/google/hal_contexthub.te b/whitechapel/vendor/google/hal_contexthub.te index ba776c8..4175b44 100644 --- a/whitechapel/vendor/google/hal_contexthub.te +++ b/whitechapel/vendor/google/hal_contexthub.te @@ -1,3 +1,30 @@ # Allow context hub HAL to communicate with daemon via socket allow hal_contexthub_default chre:unix_stream_socket connectto; -allow hal_contexthub_default chre_socket:sock_file write;
\ No newline at end of file +allow hal_contexthub_default chre_socket:sock_file write; + +# Permit communication with AoC +allow hal_contexthub_default aoc_device:chr_file rw_file_perms; + +# Allow CHRE to determine AoC's current clock +allow hal_contexthub_default sysfs_aoc:dir search; +allow hal_contexthub_default sysfs_aoc_boottime:file r_file_perms; + +# Allow CHRE to create thread to watch AOC's device +allow hal_contexthub_default aoc_device:dir r_dir_perms; + +# Allow CHRE to use the USF low latency transport +usf_low_latency_transport(hal_contexthub_default) + +# Allow CHRE to talk to the WiFi HAL +allow hal_contexthub_default hal_wifi_ext:binder { call transfer }; +allow hal_contexthub_default hal_wifi_ext_service:service_manager find; + +# Allow CHRE host to talk to stats service +allow hal_contexthub_default fwk_stats_service:service_manager find; +binder_call(hal_contexthub_default, stats_service_server) + +# Allow CHRE to use WakeLock +wakelock_use(hal_contexthub_default) + +# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP +allow hal_contexthub_default self:global_capability2_class_set block_suspend; |