| type wfdservice, domain; |
| type wfdservice_exec, exec_type, file_type; |
| |
| #Allow for transition from init domain to wfdservice |
| init_daemon_domain(wfdservice) |
| |
| #Inherit base socket permissions from netd domain |
| net_domain(wfdservice) |
| |
| #Allow wfdservice to use Binder IPC |
| binder_use(wfdservice) |
| |
| #Allow for interaction with Display HAL |
| binder_call(wfdservice, surfaceflinger) |
| binder_call(surfaceflinger, wfdservice) |
| |
| #Allow apps to interact with wfdservice |
| binder_call(wfdservice, platform_app) |
| binder_call(platform_app, wfdservice) |
| binder_call(wfdservice, system_app) |
| binder_call(system_app, wfdservice) |
| |
| #Allow access to Audio Flinger APIs |
| binder_call(wfdservice, mediaserver) |
| |
| #Allow access to Permission Controller in System Server |
| binder_call(wfdservice, system_server) |
| |
| # Mark wfdservice as a Binder service domain |
| binder_service(wfdservice) |
| |
| #Allow wfdservice to be registered with service manager |
| allow wfdservice wfdservice_service:service_manager add; |
| |
| #Allow access to PCM sound card |
| allow wfdservice audio_device:chr_file rw_file_perms; |
| allow wfdservice audio_device:dir r_dir_perms; |
| |
| #Allow access to /dev/graphics/fb* for screen capture |
| allow wfdservice graphics_device:chr_file rw_file_perms; |
| |
| #Allow communication with init over property server |
| unix_socket_connect(wfdservice, property, init); |
| |
| #Allow access to /dev/video/* devices for encoding/decoding |
| allow wfdservice video_device:chr_file rw_file_perms; |
| allow wfdservice video_device:dir r_dir_perms; |
| |
| #Allow access to tee device for HDCP sessions |
| allow wfdservice tee_device:chr_file rw_file_perms; |
| |
| #Allow access to uhid driver for HID event injection |
| allow wfdservice uhid_device:chr_file rw_file_perms; |
| |
| #Allow PROT_EXEC for 3rd party library loaded by wfdservice |
| allow wfdservice self:process execmem; |
| |
| userdebug_or_eng(` |
| #Allow access to read mmosal_logmask file in /data partition |
| allow wfdservice system_data_file:file r_file_perms; |
| #Allow access to dump encoder/decoder dumps in /data/misc/media |
| allow wfdservice media_data_file:dir w_dir_perms; |
| allow wfdservice media_data_file:file create_file_perms; |
| ') |
| |
| #Allow access to firmware files for HDCP session |
| r_dir_file(wfdservice, firmware_file) |
| |
| #Allow access to /data/media for dumping |
| allow wfdservice media_rw_data_file:dir create_dir_perms; |
| allow wfdservice media_rw_data_file:file create_file_perms; |
| |
| #allow access to sysfs to know HDMI repeater state |
| allow wfdservice sysfs_graphics:file rw_file_perms; |
| allow wfdservice self:netlink_kobject_uevent_socket create_socket_perms; |
| |
| # Allow it to use perflock |
| allow wfdservice mpctl_socket:dir r_dir_perms; |
| allow wfdservice dpmservice:service_manager add; |
| unix_socket_send(wfdservice, mpctl, perfd) |
| unix_socket_connect(wfdservice, mpctl, perfd) |
| unix_socket_send(wfdservice, mpctl, mpdecision) |
| unix_socket_connect(wfdservice, mpctl, mpdecision) |
| |
| # Allow access to input_device for touch input detection |
| allow wfdservice input_device:dir r_dir_perms; |
| allow wfdservice input_device:chr_file r_file_perms; |
| |
| # Allow access to mediaserver, surfaceflinger and permissionmanager |
| # for interaction of wfdservice |
| allow wfdservice {mediaserver_service permission_service surfaceflinger_service wfdservice_service}: service_manager find; |
| |
| #Allow setting of net_admin capability so that libnl API's can be used |
| allow wfdservice self:capability net_admin; |