public/hal_cas.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # HwBinder IPC from client to server, and callbacks
 binder_call(hal_cas_client, hal_cas_server)
 binder_call(hal_cas_server, hal_cas_client)

 hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
 allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;

 hal_attribute_service(hal_cas, hal_cas_service)

 binder_call(hal_cas_server, servicemanager)
 binder_call(hal_cas_client, servicemanager)

 # Permit reading device's serial number from system properties
 get_prop(hal_cas_server, serialno_prop)

 # Read files already opened under /data
 allow hal_cas system_data_file:file { getattr read };

 # Read access to pseudo filesystems
 r_dir_file(hal_cas, cgroup)
 allow hal_cas cgroup:dir { search write };
 allow hal_cas cgroup:file w_file_perms;

 r_dir_file(hal_cas, cgroup_v2)
 allow hal_cas cgroup_v2:dir { search write };
 allow hal_cas cgroup_v2:file w_file_perms;

 # Allow access to ion memory allocation device
 allow hal_cas ion_device:chr_file rw_file_perms;
 allow hal_cas hal_graphics_allocator:fd use;

 allow hal_cas tee_device:chr_file rw_file_perms;

 ###
 ### neverallow rules
 ###

 # hal_cas should never execute any executable without a
 # domain transition
 neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;

 # do not allow privileged socket ioctl commands
 neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
	# HwBinder IPC from client to server, and callbacks
	binder_call(hal_cas_client, hal_cas_server)
	binder_call(hal_cas_server, hal_cas_client)

	hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
	allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;

	hal_attribute_service(hal_cas, hal_cas_service)

	binder_call(hal_cas_server, servicemanager)
	binder_call(hal_cas_client, servicemanager)

	# Permit reading device's serial number from system properties
	get_prop(hal_cas_server, serialno_prop)

	# Read files already opened under /data
	allow hal_cas system_data_file:file { getattr read };

	# Read access to pseudo filesystems
	r_dir_file(hal_cas, cgroup)
	allow hal_cas cgroup:dir { search write };
	allow hal_cas cgroup:file w_file_perms;

	r_dir_file(hal_cas, cgroup_v2)
	allow hal_cas cgroup_v2:dir { search write };
	allow hal_cas cgroup_v2:file w_file_perms;

	# Allow access to ion memory allocation device
	allow hal_cas ion_device:chr_file rw_file_perms;
	allow hal_cas hal_graphics_allocator:fd use;

	allow hal_cas tee_device:chr_file rw_file_perms;

	###
	### neverallow rules
	###

	# hal_cas should never execute any executable without a
	# domain transition
	neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;

	# do not allow privileged socket ioctl commands
	neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;