1 # HwBinder IPC from client to server, and callbacks 2 binder_call(hal_audio_client, hal_audio_server) 3 binder_call(hal_audio_server, hal_audio_client) 4 5 add_hwservice(hal_audio_server, hal_audio_hwservice) 6 allow hal_audio_client hal_audio_hwservice:hwservice_manager find; 7 8 allow hal_audio ion_device:chr_file r_file_perms; 9 10 r_dir_file(hal_audio, proc) 11 r_dir_file(hal_audio, proc_asound) 12 allow hal_audio_server audio_device:dir r_dir_perms; 13 allow hal_audio_server audio_device:chr_file rw_file_perms; 14 15 # Needed to provide debug dump output via dumpsys' pipes. 16 allow hal_audio shell:fd use; 17 allow hal_audio shell:fifo_file write; 18 allow hal_audio dumpstate:fd use; 19 allow hal_audio dumpstate:fifo_file write; 20 21 # allow hal audio to use vnbinder 22 vndbinder_use(hal_audio) 23 24 ### 25 ### neverallow rules 26 ### 27 28 # Should never execute any executable without a domain transition 29 neverallow hal_audio_server { file_type fs_type }:file execute_no_trans; 30 31 # Should never need network access. 32 # Disallow network sockets. 33 neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *; 34 35 # Only audio HAL may directly access the audio hardware 36 neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *; 37 38 get_prop(hal_audio, bluetooth_a2dp_offload_prop) 39
