1 # HwBinder IPC from client to server, and callbacks 2 binder_call(hal_audio_client, hal_audio_server) 3 binder_call(hal_audio_server, hal_audio_client) 4 5 add_hwservice(hal_audio_server, hal_audio_hwservice) 6 allow hal_audio_client hal_audio_hwservice:hwservice_manager find; 7 8 allow hal_audio ion_device:chr_file r_file_perms; 9 10 userdebug_or_eng(` 11 # used for pcm capture for debug. 12 allow hal_audio audiohal_data_file:dir create_dir_perms; 13 allow hal_audio audiohal_data_file:file create_file_perms; 14 ') 15 16 r_dir_file(hal_audio, proc) 17 allow hal_audio audio_device:dir r_dir_perms; 18 allow hal_audio audio_device:chr_file rw_file_perms; 19 20 # Needed to provide debug dump output via dumpsys' pipes. 21 allow hal_audio shell:fd use; 22 allow hal_audio shell:fifo_file write; 23 allow hal_audio dumpstate:fd use; 24 allow hal_audio dumpstate:fifo_file write; 25 26 ### 27 ### neverallow rules 28 ### 29 30 # Should never execute any executable without a domain transition 31 neverallow hal_audio { file_type fs_type }:file execute_no_trans; 32 33 # Should never need network access. 34 # Disallow network sockets. 35 neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *; 36 37 # Only audio HAL may directly access the audio hardware 38 neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *; 39
