Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 557d1916b7628eced290b4a2b3a83990f6b9b824^2..557d1916b7628eced290b4a2b3a83990f6b9b824 / .
commit557d1916b7628eced290b4a2b3a83990f6b9b824[log] [tgz]
authorCarmen Jackson <carmenjackson@google.com>Tue Apr 18 23:37:48 2017 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>Tue Apr 18 23:37:53 2017 +0000
treed58c7b12ad443eb24355c79a971a704170b91d19
parent5007c10a51a150d3af9c29e1392279ffbf9347d9 [diff]
parent25788df11580805a1d1dd082f7a50cbada31bbf0 [diff]
Merge "Add selinux rules for additional file contexts in userdebug" into oc-dev
diff --git a/private/app.te b/private/app.te
index 2fddb44..4c5cb38 100644
--- a/private/app.te
+++ b/private/app.te

@@ -270,9 +270,6 @@
 # TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
 get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
 
-# Allow app to access the graphic allocator HAL
-binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
-
 # Allow app access to mediacodec (IOMX HAL)
 binder_call({ appdomain -isolated_app }, mediacodec)
 

diff --git a/private/system_server.te b/private/system_server.te
index 0f0dcdc..404a253 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -175,7 +175,7 @@
 hal_client_domain(system_server, hal_fingerprint)
 binder_call(system_server, hal_gnss)
 hal_client_domain(system_server, hal_gnss)
-binder_call(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_graphics_allocator)
 binder_call(system_server, hal_ir)
 hal_client_domain(system_server, hal_ir)
 binder_call(system_server, hal_light)
@@ -627,7 +627,6 @@
 
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
-allow system_server hal_graphics_allocator:fd use;
 
 r_dir_file(system_server, proc)
 r_dir_file(system_server, proc_meminfo)

diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index abc21a7..e95e555 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil

@@ -12,6 +12,11 @@
 (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
 (typeattributeset halclientdomain (hal_allocator_client))
 
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Domains hosting Camera HAL implementations are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute hal_camera hal_allocator_client;