Add sepolicy for dm backend app

Tracked-On: OAM-124639 Signed-off-by: chenyanxzhu <[email protected]>
projectceladon · Nov 13, 2024 · 1ec42f7 · 1ec42f7
1 parent 4cbfbd0
commit 1ec42f7
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 0 deletions.
diff --git a/graphics/dm_backend/backend_client_app.te b/graphics/dm_backend/backend_client_app.te
@@ -0,0 +1,21 @@
+type dm_backend_client_app, domain;
+
+app_domain(dm_backend_client_app)
+net_domain(dm_backend_client_app)
+
+#============= dm_backend_client_app ==============
+allow dm_backend_client_app dm_backend_app_data_file:dir create_dir_perms;
+allow dm_backend_client_app dm_backend_app_data_file:file create_file_perms;
+allow dm_backend_client_app dm_disp_socket:sock_file { write read open };
+
+allow dm_backend_client_app activity_service:service_manager find;
+allow dm_backend_client_app activity_task_service:service_manager find;
+allow dm_backend_client_app content_capture_service:service_manager find;
+allow dm_backend_client_app game_service:service_manager find;
+allow dm_backend_client_app gpu_service:service_manager find;
+allow dm_backend_client_app netstats_service:service_manager find;
+allow dm_backend_client_app surfaceflinger_service:service_manager find;
+allow dm_backend_client_app sysfs_gpu:dir search;
+allow dm_backend_client_app vendor_intel_render_selection_prop:file open;
+allow dm_backend_client_app virtual_device_service:service_manager find;
+allow dm_backend_client_app voiceinteraction_service:service_manager find;
diff --git a/graphics/dm_backend/backend_server.te b/graphics/dm_backend/backend_server.te
@@ -0,0 +1,7 @@
+type dm_backend_server, domain, mlstrustedsubject;
+type dm_backend_server_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(dm_backend_server)
+
+allow dm_backend_server socket_device:dir { add_name remove_name search write };
+allow dm_backend_server dm_disp_socket:sock_file { create write getattr unlink read open };
diff --git a/graphics/dm_backend/file.te b/graphics/dm_backend/file.te
@@ -0,0 +1,2 @@
+type dm_backend_app_data_file, file_type, data_file_type, app_data_file_type;
+type dm_disp_socket, file_type;
diff --git a/graphics/dm_backend/file_contexts b/graphics/dm_backend/file_contexts
@@ -0,0 +1,3 @@
+/system/bin/dm-backend                    u:object_r:dm_backend_server_exec:s0
+/system/bin/acrn-bkend-server             u:object_r:dm_backend_server_exec:s0
+/dev/socket/dm_display_server		  u:object_r:dm_disp_socket:s0
diff --git a/graphics/dm_backend/seapp_contexts b/graphics/dm_backend/seapp_contexts
@@ -0,0 +1 @@
+user=_app seinfo=platform name=com.intel.dm_backend domain=dm_backend_client_app type=dm_backend_app_data_file
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		type dm_backend_app_data_file, file_type, data_file_type, app_data_file_type;
		type dm_disp_socket, file_type;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		user=_app seinfo=platform name=com.intel.dm_backend domain=dm_backend_client_app type=dm_backend_app_data_file