android_device_google_gs-co.../aoc/sepolicy/aocxd.te

# aocxd server domain
type aocxd, domain;
type aocxd_exec, vendor_file_type, exec_type, file_type;
init_daemon_domain(aocxd)

# sysfs operations
allow aocxd sysfs_aoc:dir search;

# dev operations
allow aocxd aoc_device:chr_file rw_file_perms;

# allow inotify to watch for additions/removals from /dev
allow aocxd device:dir r_dir_perms;

# set properties
set_prop(aocxd, vendor_aoc_prop);

# allow binder access
vndbinder_use(aocxd);

# allow managing wakelocks
wakelock_use(aocxd);

# add aocx service to the domain
add_service(aocxd, aocx);

# allow managing thread priority
allow aocxd self:global_capability_class_set sys_nice;

allow aocxd dumpstate:fd use;
allow aocxd dumpstate:fifo_file write;
selinux: New aocx service Add new aocxd server domain - Allow aocxd to access AOC resources - Add new aocx binder vendor service Allow audio hal to find and talk to aocx avc error tcontext=u:object_r:binder_device:s0 tclass=chr_file or tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file avc: denied { add } for pid=1073 uid=0 name=aocx.IAocx scontext=u:r:aocxd:s0 tcontext=u:object_r:aocx:s0 tclass=service_manager avc: denied { call } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:aocxd:s0 tclass=binder BUG: 315853303 Change-Id: Ide16a2be9f032bef60f43d4d3daa6372ae06b057 2023-12-26 23:27:00 +00:00			`# aocxd server domain`
			`type aocxd, domain;`
			`type aocxd_exec, vendor_file_type, exec_type, file_type;`
			`init_daemon_domain(aocxd)`

			`# sysfs operations`
			`allow aocxd sysfs_aoc:dir search;`

			`# dev operations`
			`allow aocxd aoc_device:chr_file rw_file_perms;`

			`# allow inotify to watch for additions/removals from /dev`
			`allow aocxd device:dir r_dir_perms;`

			`# set properties`
			`set_prop(aocxd, vendor_aoc_prop);`

			`# allow binder access`
			`vndbinder_use(aocxd);`

			`# allow managing wakelocks`
			`wakelock_use(aocxd);`

			`# add aocx service to the domain`
			`add_service(aocxd, aocx);`
Allow aocxd to set thread priority aocxd sets thread scheduler to SCHED_FIFO. This is so audio processing in aocxd can run without glitching. vndbinder:11464: type=1400 audit(0.0:17): avc: denied { sys_nice } for capability=23 scontext=u:r:aocxd:s0 tcontext=u:r:aocxd:s0 tclass=capability permissive=0 BUG: 318791959 Change-Id: I9c9148aa7b18ce525091f93956e112b4c178a129 2024-01-12 19:28:00 +00:00
			`# allow managing thread priority`
			`allow aocxd self:global_capability_class_set sys_nice;`
Fix aocx selinux dumpstate permissions After switching aocxd to stable AIDL, we encountered some permissions issues associated with dumpstate: dumpstate: type=1400 audit(0.0:548): avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:aocxd:s0 tclass=binder permissive=0 dumpstate: type=1400 audit(0.0:17): avc: denied { use } for path="pipe:[214567]" dev="pipefs" ino=214567 scontext=u:r:aocxd:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=0 dumpstate: type=1400 audit(0.0:15): avc: denied { write } for path="pipe:[212933]" dev="pipefs" ino=212933 scontext=u:r:aocxd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=0 TEST: make selinux_policy -j128 adb push $ANDROID_PRODUCT_OUT/vendor/etc/selinux/* /vendor/etc/selinux adb reboot adb root adb bugreport BUG: 347156752 Change-Id: I188263ee9b186736a48fd3a0cfa83745e2e54108 2024-06-14 15:26:53 -07:00
			`allow aocxd dumpstate:fd use;`
			`allow aocxd dumpstate:fifo_file write;`