Updates EVS sepolicies

Adds more permissions based on audit results.

Change-Id: Ia34a1581fd47dcb8dd3a12eaf62293f914ef0d4a
Signed-off-by: Changyeon Jo <changyeon@google.com>
diff --git a/evs/sepolicy/evs_app.te b/evs/sepolicy/evs_app.te
index ef78f0b..098499a 100644
--- a/evs/sepolicy/evs_app.te
+++ b/evs/sepolicy/evs_app.te
@@ -2,6 +2,8 @@
 type evs_app, domain, coredomain;
 hal_client_domain(evs_app, hal_evs)
 hal_client_domain(evs_app, hal_vehicle)
+hal_client_domain(evs_app, hal_configstore)
+hal_client_domain(evs_app, hal_graphics_allocator)
 
 # allow init to launch processes in this context
 type evs_app_exec, exec_type, file_type;
@@ -13,10 +15,6 @@
 allow evs_app evs_app_files:dir search;
 
 # Allow use of gralloc buffers and EGL
-allow evs_app hal_graphics_allocator_default:fd use;
-allow evs_app gpu_device:chr_file ioctl;
-allow evs_app gpu_device:chr_file { getattr open read write };
-
-# Permit communication with the vehicle HAL
-# (Communcations with the rest of the EVS stack is allowed via hal_evs)
-binder_call(evs_app, hal_vehicle);
+allow evs_app gpu_device:chr_file rw_file_perms;
+allow evs_app ion_device:chr_file r_file_perms;
+allow evs_app system_file:dir r_dir_perms;
diff --git a/evs/sepolicy/evs_driver.te b/evs/sepolicy/evs_driver.te
index 5d316a4..dcf6700 100644
--- a/evs/sepolicy/evs_driver.te
+++ b/evs/sepolicy/evs_driver.te
@@ -5,16 +5,16 @@
 # allow init to launch processes in this context
 type hal_evs_driver_exec, exec_type, file_type;
 init_daemon_domain(hal_evs_driver)
+binder_use(hal_evs_driver)
 
 # Allow use of USB devices, gralloc buffers, and surface flinger
 allow hal_evs_driver device:dir { open read };
-allow hal_evs_driver video_device:chr_file { ioctl open read write };
+allow hal_evs_driver video_device:chr_file rw_file_perms;
 hal_client_domain(hal_evs_driver, hal_graphics_allocator);
+hal_client_domain(hal_evs_driver, hal_graphics_composer)
+hal_client_domain(hal_evs_driver, hal_configstore)
 
-allow hal_evs_driver gpu_device:chr_file { getattr ioctl open read write };
+allow hal_evs_driver gpu_device:chr_file rw_file_perms;
 binder_call(hal_evs_driver, surfaceflinger);
 allow hal_evs_driver surfaceflinger_service:service_manager find;
-allow hal_evs_driver hal_graphics_composer_default:fd use;
-allow hal_evs_driver hal_graphics_allocator_default_tmpfs:file { read write };
-allow hal_evs_driver self:capability dac_override;
-allow hal_evs_driver servicemanager:binder call;
+allow hal_evs_driver ion_device:chr_file r_file_perms;
diff --git a/evs/sepolicy/evs_manager.te b/evs/sepolicy/evs_manager.te
index 1f99d96..58ea6aa 100644
--- a/evs/sepolicy/evs_manager.te
+++ b/evs/sepolicy/evs_manager.te
@@ -2,7 +2,11 @@
 type evs_manager, domain, coredomain;
 hal_server_domain(evs_manager, hal_evs)
 hal_client_domain(evs_manager, hal_evs)
+add_hwservice(hal_evs, hal_evs_hwservice)
 
 # allow init to launch processes in this context
 type evs_manager_exec, exec_type, file_type;
 init_daemon_domain(evs_manager)
+
+# allow use of hwservices
+allow evs_manager hal_graphics_allocator_default:fd use;
diff --git a/evs/sepolicy/surfaceflinger.te b/evs/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..69affc0
--- /dev/null
+++ b/evs/sepolicy/surfaceflinger.te
@@ -0,0 +1,2 @@
+allow surfaceflinger hal_evs_driver:fd use;
+allow surfaceflinger hal_evs_driver:binder call;