| # HwBinder IPC from client to server, and callbacks |
| binder_call(hal_cas_client, hal_cas_server) |
| binder_call(hal_cas_server, hal_cas_client) |
| |
| add_hwservice(hal_cas_server, hal_cas_hwservice) |
| allow hal_cas_client hal_cas_hwservice:hwservice_manager find; |
| allow hal_cas_server hidl_memory_hwservice:hwservice_manager find; |
| |
| # Permit reading device's serial number from system properties |
| get_prop(hal_cas_server, serialno_prop) |
| |
| # Read files already opened under /data |
| allow hal_cas system_data_file:file { getattr read }; |
| |
| # Read access to pseudo filesystems |
| r_dir_file(hal_cas, cgroup) |
| allow hal_cas cgroup:dir { search write }; |
| allow hal_cas cgroup:file w_file_perms; |
| |
| # Allow access to ion memory allocation device |
| allow hal_cas ion_device:chr_file rw_file_perms; |
| allow hal_cas hal_graphics_allocator:fd use; |
| |
| allow hal_cas tee_device:chr_file rw_file_perms; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # hal_cas should never execute any executable without a |
| # domain transition |
| neverallow hal_cas_server { file_type fs_type }:file execute_no_trans; |
| |
| # do not allow privileged socket ioctl commands |
| neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; |