1# applies all permissions to hal_omx NOT hal_omx_server
2# since OMX must always be in its own process.
3
4binder_call(hal_omx_server, binderservicedomain)
5binder_call(hal_omx_server, { appdomain -isolated_app })
6
7# Allow hal_omx_server access to composer sync fences
8allow hal_omx_server hal_graphics_composer:fd use;
9
10allow hal_omx_server ion_device:chr_file rw_file_perms;
11allow hal_omx_server hal_camera:fd use;
12
13crash_dump_fallback(hal_omx_server)
14
15# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never
16# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
17# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
18# via PDX. Thus, there is no need to use pdx_client macro.
19allow hal_omx_server bufferhubd:fd use;
20
21hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
22
23allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
24
25get_prop(hal_omx_client, media_variant_prop)
26get_prop(hal_omx_server, media_variant_prop)
27
28binder_call(hal_omx_client, hal_omx_server)
29binder_call(hal_omx_server, hal_omx_client)
30
31###
32### neverallow rules
33###
34
35# hal_omx_server should never execute any executable without a
36# domain transition
37neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;
38
39# The goal of the mediaserver split is to place media processing code into
40# restrictive sandboxes with limited responsibilities and thus limited
41# permissions. Example: Audioserver is only responsible for controlling audio
42# hardware and processing audio content. Cameraserver does the same for camera
43# hardware/content. Etc.
44#
45# Media processing code is inherently risky and thus should have limited
46# permissions and be isolated from the rest of the system and network.
47# Lengthier explanation here:
48# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
49neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
50