sepolicy/evs/hal_evs_default.te

# Allow use of USB devices, gralloc buffers, and surface flinger
hal_client_domain(hal_evs_default, hal_graphics_allocator);
hal_client_domain(hal_evs_default, hal_graphics_composer)

# Allow the driver to access EGL
allow hal_evs_default gpu_device:chr_file rw_file_perms;
allow hal_evs_default gpu_device:dir search;

# Allow the driver to use SurfaceFlinger
binder_call(hal_evs_default, surfaceflinger);
allow hal_evs_default surfaceflinger_service:service_manager find;
allow hal_evs_default ion_device:chr_file r_file_perms;

# Allow the driver to use automotive display proxy service
binder_call(hal_evs_default, automotive_display_service_server);
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;

# TODO(b/289381868): Remove below line when a vendor process can initialize
#                    EGL without violating selinux rules.
dontaudit hal_evs_default system_prop:file read;

# Allow to access graphics related properties
get_prop(hal_evs_default, graphics_config_writable_prop)

# allow to use binder IPC.
binder_use(hal_evs_default)

# Allow the driver to access vendor files
allow hal_evs_default vendor_data_file:file r_file_perms;

# Allow to access default property.
# get_prop(hal_evs_default, default_prop) triggers neverallow checks.
# Known issue (b/322843384).
dontaudit hal_evs_default default_prop:file read;

# Allow to access /dev/dma_heap/system
allow hal_evs_default dmabuf_system_heap_device:chr_file r_file_perms;

# Allow to use the media extractor.
allow hal_evs_default mediaextractor_service:service_manager find;
allow hal_evs_default mediaserver_service:service_manager find;
binder_call(hal_evs_default, mediaextractor)
binder_call(hal_evs_default, mediaserver)

# Allow to use OMX service.
hal_client_domain(hal_evs_default, hal_omx)
hal_client_domain(hal_evs_default, hal_codec2)

# Allow to interact with mediametrics
allow hal_evs_default mediametrics_service:service_manager find;
binder_call(hal_evs_default, mediametrics)