xref: /aosp_15_r20/system/sepolicy/private/technical_debt.cil (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1*e4a36f41SAndroid Build Coastguard Worker; THIS IS A WORKAROUND for the current limitations of the module policy language
2*e4a36f41SAndroid Build Coastguard Worker; This should be used sparingly until we figure out a saner way to achieve the
3*e4a36f41SAndroid Build Coastguard Worker; stuff below, for example, by improving typeattribute statement of module
4*e4a36f41SAndroid Build Coastguard Worker; language.
5*e4a36f41SAndroid Build Coastguard Worker;
6*e4a36f41SAndroid Build Coastguard Worker; NOTE: This file has no effect on recovery policy.
7*e4a36f41SAndroid Build Coastguard Worker
8*e4a36f41SAndroid Build Coastguard Worker; Apps, except isolated apps, are clients of Allocator HAL
9*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
10*e4a36f41SAndroid Build Coastguard Worker;     typeattribute { appdomain -isolated_app_all } hal_allocator_client;
11*e4a36f41SAndroid Build Coastguard Worker;     typeattribute hal_allocator_client halclientdomain;
12*e4a36f41SAndroid Build Coastguard Worker(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app_all))))))
13*e4a36f41SAndroid Build Coastguard Worker(typeattributeset halclientdomain (hal_allocator_client))
14*e4a36f41SAndroid Build Coastguard Worker
15*e4a36f41SAndroid Build Coastguard Worker; Apps, except isolated apps, are clients of OMX-related services
16*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
17*e4a36f41SAndroid Build Coastguard Worker(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
18*e4a36f41SAndroid Build Coastguard Worker
19*e4a36f41SAndroid Build Coastguard Worker; Apps, except isolated apps, are clients of Codec2-related services
20*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
21*e4a36f41SAndroid Build Coastguard Worker(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
22*e4a36f41SAndroid Build Coastguard Worker
23*e4a36f41SAndroid Build Coastguard Worker; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
24*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
25*e4a36f41SAndroid Build Coastguard Worker(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox_all)))))))
26*e4a36f41SAndroid Build Coastguard Worker
27*e4a36f41SAndroid Build Coastguard Worker; Apps, except isolated apps, are clients of Configstore HAL
28*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
29*e4a36f41SAndroid Build Coastguard Worker;     typeattribute { appdomain -isolated_app_all } hal_configstore_client;
30*e4a36f41SAndroid Build Coastguard Worker(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app_all))))))
31*e4a36f41SAndroid Build Coastguard Worker
32*e4a36f41SAndroid Build Coastguard Worker; Apps, except isolated apps, are clients of Graphics Allocator HAL
33*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
34*e4a36f41SAndroid Build Coastguard Worker;     typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
35*e4a36f41SAndroid Build Coastguard Worker(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
36*e4a36f41SAndroid Build Coastguard Worker
37*e4a36f41SAndroid Build Coastguard Worker; Apps, except isolated apps, are clients of Cas HAL
38*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
39*e4a36f41SAndroid Build Coastguard Worker;     typeattribute { appdomain -isolated_app_all } hal_cas_client;
40*e4a36f41SAndroid Build Coastguard Worker(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app_all))))))
41*e4a36f41SAndroid Build Coastguard Worker
42*e4a36f41SAndroid Build Coastguard Worker; Domains hosting Camera HAL implementations are clients of Allocator HAL
43*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
44*e4a36f41SAndroid Build Coastguard Worker;     typeattribute hal_camera hal_allocator_client;
45*e4a36f41SAndroid Build Coastguard Worker(typeattributeset hal_allocator_client (hal_camera))
46*e4a36f41SAndroid Build Coastguard Worker
47*e4a36f41SAndroid Build Coastguard Worker; Apps, except isolated apps, are clients of Neuralnetworks HAL
48*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
49*e4a36f41SAndroid Build Coastguard Worker;     typeattribute { appdomain -isolated_app_all } hal_neuralnetworks_client;
50*e4a36f41SAndroid Build Coastguard Worker(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
51*e4a36f41SAndroid Build Coastguard Worker
52*e4a36f41SAndroid Build Coastguard Worker; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
53*e4a36f41SAndroid Build Coastguard Worker; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
54*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
55*e4a36f41SAndroid Build Coastguard Worker;     typeattribute untrusted_app_visible_hwservice untrusted_app_visible_hwservice_violators;
56*e4a36f41SAndroid Build Coastguard Worker;     typeattribute untrusted_app_visible_halserver untrusted_app_visible_halserver_violators;
57*e4a36f41SAndroid Build Coastguard Worker(typeattribute untrusted_app_visible_hwservice)
58*e4a36f41SAndroid Build Coastguard Worker(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
59*e4a36f41SAndroid Build Coastguard Worker(typeattribute untrusted_app_visible_halserver)
60*e4a36f41SAndroid Build Coastguard Worker(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
61*e4a36f41SAndroid Build Coastguard Worker
62*e4a36f41SAndroid Build Coastguard Worker; Properties having both system_property_type and vendor_property_type are illegal
63*e4a36f41SAndroid Build Coastguard Worker; Unfortunately, we can't currently express this in module policy language:
64*e4a36f41SAndroid Build Coastguard Worker;     typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
65*e4a36f41SAndroid Build Coastguard Worker(typeattribute system_and_vendor_property_type)
66*e4a36f41SAndroid Build Coastguard Worker(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))
67