diff options
| -rwxr-xr-x | Android.mk | 3 | ||||
| -rw-r--r-- | common/file_contexts | 1 | ||||
| -rw-r--r-- | common/netd.te | 3 | ||||
| -rw-r--r-- | common/service.te | 1 | ||||
| -rw-r--r-- | common/service_contexts | 1 | ||||
| -rw-r--r-- | common/wfdservice.te | 69 |
6 files changed, 77 insertions, 1 deletions
@@ -93,7 +93,8 @@ BOARD_SEPOLICY_UNION := \ energyawareness.te \ hbtp.te \ kernel.te \ - vold.te + vold.te \ + wfdservice.te # Compile sensor pilicy only for SSC targets SSC_TARGET_LIST := apq8084 diff --git a/common/file_contexts b/common/file_contexts index 74f7aa74..3cecd005 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -170,6 +170,7 @@ /system/bin/sapd u:object_r:sapd_exec:s0 /system/bin/btsnoop u:object_r:btsnoop_exec:s0 /system/bin/dun-server u:object_r:dun-server_exec:s0 +/system/bin/wfdservice u:object_r:wfdservice_exec:s0 ################################### # sysfs files diff --git a/common/netd.te b/common/netd.te index 124178ad..4ad08aaf 100644 --- a/common/netd.te +++ b/common/netd.te @@ -9,3 +9,6 @@ dontaudit netd self:capability sys_module; #needed for ipt_TCPMSS and ip6t_TCPMSS allow netd kernel:system module_request; unix_socket_connect(netd, cnd, cnd) + +allow netd wfdservice:fd use; +allow netd wfdservice:tcp_socket rw_socket_perms; diff --git a/common/service.te b/common/service.te index e6625706..b018eebc 100644 --- a/common/service.te +++ b/common/service.te @@ -7,3 +7,4 @@ type dun_service, service_manager_type; type digitalpen_service, service_manager_type; type imscm_service, service_manager_type; type color_service, service_manager_type; +type wfdservice_service, service_manager_type; diff --git a/common/service_contexts b/common/service_contexts index eccd3fdb..2831a31c 100644 --- a/common/service_contexts +++ b/common/service_contexts @@ -8,3 +8,4 @@ dun u:object_r:dun_service:s0 DigitalPen u:object_r:digitalpen_service:s0 qti.ims.connectionmanagerservice u:object_r:imscm_service:s0 com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0 +wfdservice u:object_r:wfdservice_service:s0 diff --git a/common/wfdservice.te b/common/wfdservice.te new file mode 100644 index 00000000..8d51e032 --- /dev/null +++ b/common/wfdservice.te @@ -0,0 +1,69 @@ +type wfdservice, domain; +type wfdservice_exec, exec_type, file_type; + +#Allow for transition from init domain to wfdservice +init_daemon_domain(wfdservice) + +#Inherit base socket permissions from netd domain +net_domain(wfdservice) + +#Allow wfdservice to use Binder IPC +binder_use(wfdservice) + +#Allow for interaction with Display HAL +binder_call(wfdservice, surfaceflinger) +binder_call(surfaceflinger, wfdservice) + +#Allow apps to interact with wfdservice +binder_call(wfdservice, platform_app) +binder_call(platform_app, wfdservice) +binder_call(wfdservice, system_app) +binder_call(system_app, wfdservice) + +#Allow access to Audio Flinger APIs +binder_call(wfdservice, mediaserver) + +#Allow access to Permission Controller in System Server +binder_call(wfdservice, system_server) + +# Mark wfdservice as a Binder service domain +binder_service(wfdservice) + +#Allow wfdservice to be registered with service manager +allow wfdservice wfdservice_service:service_manager add; + +#Allow access to PCM sound card +allow wfdservice audio_device:chr_file rw_file_perms; +allow wfdservice audio_device:dir r_dir_perms; + +#Allow access to /dev/graphics/fb* for screen capture +allow wfdservice graphics_device:chr_file rw_file_perms; + +#Allow communication with init over property server +unix_socket_connect(wfdservice, property, init); + +#Allow access to /dev/video/* devices for encoding/decoding +allow wfdservice video_device:chr_file rw_file_perms; +allow wfdservice video_device:dir r_dir_perms; + +#Allow access to tee device for HDCP sessions +allow wfdservice tee_device:chr_file rw_file_perms; + +#Allow access to uhid driver for HID event injection +allow wfdservice uhid_device:chr_file rw_file_perms; + +#Allow PROT_EXEC for 3rd party library loaded by wfdservice +allow wfdservice self:process execmem; + +#Allow access to read mmosal_logmask file in /data partition +userdebug_or_eng(` + allow wfdservice system_data_file:file r_file_perms; +') + +#Allow access to firmware files for HDCP session +allow wfdservice firmware_file:file r_file_perms; +allow wfdservice firmware_file:dir r_dir_perms; + +#Allow access to /data/media for dumping +allow wfdservice media_rw_data_file:dir create_dir_perms; +allow wfdservice media_rw_data_file:file create_file_perms; |