1 # HwBinder IPC from client to server, and callbacks 2 binder_call(hal_cas_client, hal_cas_server) 3 binder_call(hal_cas_server, hal_cas_client) 4 5 add_hwservice(hal_cas_server, hal_cas_hwservice) 6 allow hal_cas_client hal_cas_hwservice:hwservice_manager find; 7 allow hal_cas_server hidl_memory_hwservice:hwservice_manager find; 8 9 # Permit reading device's serial number from system properties 10 get_prop(hal_cas, serialno_prop) 11 12 # Read files already opened under /data 13 allow hal_cas system_data_file:dir { search getattr }; 14 allow hal_cas system_data_file:file { getattr read }; 15 allow hal_cas system_data_file:lnk_file r_file_perms; 16 17 # Read access to pseudo filesystems 18 r_dir_file(hal_cas, cgroup) 19 allow hal_cas cgroup:dir { search write }; 20 allow hal_cas cgroup:file w_file_perms; 21 22 # Allow access to ion memory allocation device 23 allow hal_cas ion_device:chr_file rw_file_perms; 24 allow hal_cas hal_graphics_allocator:fd use; 25 26 allow hal_cas tee_device:chr_file rw_file_perms; 27 28 ### 29 ### neverallow rules 30 ### 31 32 # hal_cas should never execute any executable without a 33 # domain transition 34 neverallow hal_cas { file_type fs_type }:file execute_no_trans; 35 36 # do not allow privileged socket ioctl commands 37 neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 38
