1*e4a36f41SAndroid Build Coastguard Worker# HwBinder IPC from client to server, and callbacks 2*e4a36f41SAndroid Build Coastguard Workerbinder_call(hal_cas_client, hal_cas_server) 3*e4a36f41SAndroid Build Coastguard Workerbinder_call(hal_cas_server, hal_cas_client) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workerhal_attribute_hwservice(hal_cas, hal_cas_hwservice) 6*e4a36f41SAndroid Build Coastguard Workerallow hal_cas_server hidl_memory_hwservice:hwservice_manager find; 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Workerhal_attribute_service(hal_cas, hal_cas_service) 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Workerbinder_call(hal_cas_server, servicemanager) 11*e4a36f41SAndroid Build Coastguard Workerbinder_call(hal_cas_client, servicemanager) 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# Permit reading device's serial number from system properties 14*e4a36f41SAndroid Build Coastguard Workerget_prop(hal_cas_server, serialno_prop) 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# Read files already opened under /data 17*e4a36f41SAndroid Build Coastguard Workerallow hal_cas system_data_file:file { getattr read }; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# Read access to pseudo filesystems 20*e4a36f41SAndroid Build Coastguard Workerr_dir_file(hal_cas, cgroup) 21*e4a36f41SAndroid Build Coastguard Workerallow hal_cas cgroup:dir { search write }; 22*e4a36f41SAndroid Build Coastguard Workerallow hal_cas cgroup:file w_file_perms; 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Workerr_dir_file(hal_cas, cgroup_v2) 25*e4a36f41SAndroid Build Coastguard Workerallow hal_cas cgroup_v2:dir { search write }; 26*e4a36f41SAndroid Build Coastguard Workerallow hal_cas cgroup_v2:file w_file_perms; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker# Allow access to ion memory allocation device 29*e4a36f41SAndroid Build Coastguard Workerallow hal_cas ion_device:chr_file rw_file_perms; 30*e4a36f41SAndroid Build Coastguard Workerallow hal_cas hal_graphics_allocator:fd use; 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Workerallow hal_cas tee_device:chr_file rw_file_perms; 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker### 35*e4a36f41SAndroid Build Coastguard Worker### neverallow rules 36*e4a36f41SAndroid Build Coastguard Worker### 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# hal_cas should never execute any executable without a 39*e4a36f41SAndroid Build Coastguard Worker# domain transition 40*e4a36f41SAndroid Build Coastguard Workerneverallow hal_cas_server { file_type fs_type }:file execute_no_trans; 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker# do not allow privileged socket ioctl commands 43*e4a36f41SAndroid Build Coastguard Workerneverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 44