sepolicy: legacy: isolated_app >>> isolated_app_all

[1] - Follow changes from LA_AU.VENDOR14 vndr

Change-Id: I0fce4f8813566ed11ff701b996ff27e75f199223
Signed-off-by: chrisl7 <wandersonrodriguesf1@gmail.com>
This commit is contained in:
chrisl7 2023-11-07 00:21:31 +00:00 committed by CHRISL7
parent b50135fb76
commit 16ab1d68d2
3 changed files with 10 additions and 10 deletions

View File

@ -25,10 +25,10 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
r_dir_file({domain - isolated_app - untrusted_app_all }, sysfs_socinfo); r_dir_file({domain - isolated_app_all - untrusted_app_all }, sysfs_socinfo);
r_dir_file({domain - isolated_app - untrusted_app_all }, sysfs_soc); r_dir_file({domain - isolated_app_all - untrusted_app_all }, sysfs_soc);
r_dir_file({domain - isolated_app - untrusted_app_all }, sysfs_esoc); r_dir_file({domain - isolated_app_all - untrusted_app_all }, sysfs_esoc);
r_dir_file({domain - isolated_app - untrusted_app_all }, sysfs_ssr); r_dir_file({domain - isolated_app_all - untrusted_app_all }, sysfs_ssr);
#Reding of standard chip details need this #Reding of standard chip details need this
allow untrusted_app_all { allow untrusted_app_all {
@ -37,12 +37,12 @@ allow untrusted_app_all {
sysfs_esoc sysfs_esoc
sysfs_ssr sysfs_ssr
}:dir search; }:dir search;
r_dir_file({domain - isolated_app }, vendor_sysfs_public); r_dir_file({domain - isolated_app_all }, vendor_sysfs_public);
dontaudit domain kernel:system module_request; dontaudit domain kernel:system module_request;
# Allow all domains read access to sysfs_thermal # Allow all domains read access to sysfs_thermal
r_dir_file({domain - isolated_app}, sysfs_thermal); r_dir_file({domain - isolated_app_all}, sysfs_thermal);
# Allow domain to read /vendor -> /system/vendor # Allow domain to read /vendor -> /system/vendor
allow domain system_file:lnk_file getattr; allow domain system_file:lnk_file getattr;
@ -77,6 +77,6 @@ get_prop(domain, vendor_public_vendor_default_prop)
allow domain qti_debugfs:dir search; allow domain qti_debugfs:dir search;
# allow all context to read sysfs_kgsl # allow all context to read sysfs_kgsl
allow { domain - isolated_app } sysfs_kgsl:dir search; allow { domain - isolated_app_all } sysfs_kgsl:dir search;
# allow all context to read gpu model # allow all context to read gpu model
allow { domain - isolated_app } sysfs_kgsl_gpu_model:file r_file_perms; allow { domain - isolated_app_all } sysfs_kgsl_gpu_model:file r_file_perms;

View File

@ -35,4 +35,4 @@ hal_server_domain(hal_drm_clearkey, hal_drm)
vndbinder_use(hal_drm_clearkey); vndbinder_use(hal_drm_clearkey);
allow hal_drm_clearkey { appdomain -isolated_app }:fd use; allow hal_drm_clearkey { appdomain -isolated_app_all }:fd use;

View File

@ -33,7 +33,7 @@ type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_widevine) init_daemon_domain(hal_drm_widevine)
allow hal_drm_widevine mediacodec:fd use; allow hal_drm_widevine mediacodec:fd use;
allow hal_drm_widevine { appdomain -isolated_app }:fd use; allow hal_drm_widevine { appdomain -isolated_app_all }:fd use;
# The QTI DRM-HAL implementation uses a vendor-binder service provided # The QTI DRM-HAL implementation uses a vendor-binder service provided
# by the HWC HAL. # by the HWC HAL.