evs/sepolicy/evs_app.te - platform/packages/services/Car - Git at Google

 # evs app
 type evs_app, domain, coredomain;
 hal_client_domain(evs_app, hal_evs)
 hal_client_domain(evs_app, hal_vehicle)

 # allow init to launch processes in this context
 type evs_app_exec, exec_type, file_type;
 init_daemon_domain(evs_app)

 # gets access to its own files on disk
 type evs_app_files, file_type;
 allow evs_app evs_app_files:file { getattr open read };
 allow evs_app evs_app_files:dir search;

 # Allow use of gralloc buffers and EGL
 allow evs_app hal_graphics_allocator_default:fd use;
 allow evs_app gpu_device:chr_file ioctl;
 allow evs_app gpu_device:chr_file { getattr open read write };

 # Permit communication with the vehicle HAL
 # (Communcations with the rest of the EVS stack is allowed via hal_evs)
 binder_call(evs_app, hal_vehicle);
	# evs app
	type evs_app, domain, coredomain;
	hal_client_domain(evs_app, hal_evs)
	hal_client_domain(evs_app, hal_vehicle)

	# allow init to launch processes in this context
	type evs_app_exec, exec_type, file_type;
	init_daemon_domain(evs_app)

	# gets access to its own files on disk
	type evs_app_files, file_type;
	allow evs_app evs_app_files:file { getattr open read };
	allow evs_app evs_app_files:dir search;

	# Allow use of gralloc buffers and EGL
	allow evs_app hal_graphics_allocator_default:fd use;
	allow evs_app gpu_device:chr_file ioctl;
	allow evs_app gpu_device:chr_file { getattr open read write };

	# Permit communication with the vehicle HAL
	# (Communcations with the rest of the EVS stack is allowed via hal_evs)
	binder_call(evs_app, hal_vehicle);