Switch Boot Control HAL policy to _client/_server

This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.

Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.

Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.

P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf

private/system_server.te

@@ -174,7 +174,6 @@ binder_service(system_server)
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
 hwallocator_use(system_server)
-binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)

public/attributes

@@ -110,11 +110,6 @@ attribute bluetoothdomain;
 # All domains used for binder service domains.
 attribute binderservicedomain;
 
-# All domains that access the boot_control HAL. The permissions the HAL
-# requires are specific to the implementation provided in each device, but
-# common daemons need to be aware of those when calling into the HAL.
-attribute boot_control_hal;
-
 # update_engine related domains that need to apply an update and run
 # postinstall. This includes the background daemon and the sideload tool from
 # recovery for A/B devices.
@@ -132,6 +127,9 @@ attribute hal_audio_server;
 attribute hal_bluetooth;
 attribute hal_bluetooth_client;
 attribute hal_bluetooth_server;
+attribute hal_bootctl;
+attribute hal_bootctl_client;
+attribute hal_bootctl_server;
 attribute hal_camera;
 attribute hal_camera_client;
 attribute hal_camera_server;

public/boot_control_hal.te

-# Allow read/write bootctrl block device, if one is defined.
-allow boot_control_hal bootctrl_block_device:blk_file rw_file_perms;

public/device.te

@@ -99,6 +99,3 @@ type metadata_block_device, dev_type;
 
 # The 'misc' partition used by recovery and A/B.
 type misc_block_device, dev_type;
-
-# Bootctrl block device used by A/B update (update_engine, update_verifier).
-type bootctrl_block_device, dev_type;

public/hal_boot.te

-# boot_control subsystem
-type hal_boot, domain, boot_control_hal;
-
-# call into system_server process (callbacks)
-binder_call(hal_boot, system_server)

public/hal_bootctl.te

+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_bootctl_client, hal_bootctl_server)
+binder_call(hal_bootctl_server, hal_bootctl_client)

public/recovery.te

@@ -8,7 +8,8 @@ type recovery, domain, domain_deprecated;
 # Otherwise recovery is only allowed the domain rules.
 recovery_only(`
   # Allow recovery to perform an update as update_engine would do.
-  typeattribute recovery update_engine_common, boot_control_hal;
+  typeattribute recovery update_engine_common;
+  hal_client_domain(recovery, hal_bootctl)
 
   allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
 

public/update_engine.te

 # Domain for update_engine daemon.
-# update_engine uses the boot_control_hal.
-type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
+type update_engine, domain, domain_deprecated, update_engine_common;
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;
 
@@ -39,6 +38,5 @@ binder_call(update_engine, priv_app)
 allow update_engine ota_package_file:file r_file_perms;
 allow update_engine ota_package_file:dir r_dir_perms;
 
-# Use binderized HAL
-hwbinder_use(update_engine)
-binder_call(update_engine, hal_boot)
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)

public/update_verifier.te

 # update_verifier
-# update_verifier uses the boot_control_hal.
-type update_verifier, domain, boot_control_hal;
+type update_verifier, domain;
 type update_verifier_exec, exec_type, file_type;
 
-# find the boot_control_hal
-allow update_verifier system_file:dir r_dir_perms;
-
 # Allow update_verifier to reach block devices in /dev/block.
 allow update_verifier block_device:dir search;
 
@@ -16,6 +12,5 @@ allow update_verifier ota_package_file:file r_file_perms;
 # Read all blocks in dm wrapped system partition.
 allow update_verifier dm_device:blk_file r_file_perms;
 
-# Use binderized HAL
-hwbinder_use(update_verifier)
-binder_call(update_verifier, hal_boot)
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)

vendor/file_contexts

@@ -4,7 +4,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_bootctl_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service    u:object_r:hal_configstore_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0

vendor/hal_boot.te

-# boot_control subsystem
-
-hal_impl_domain(hal_boot)
-
-type hal_boot_exec, exec_type, file_type;
-init_daemon_domain(hal_boot)

vendor/hal_bootctl_default.te

+# Boot control subsystem
+type hal_bootctl_default, domain;
+hal_server_domain(hal_bootctl_default, hal_bootctl)
+
+type hal_bootctl_default_exec, exec_type, file_type;
+init_daemon_domain(hal_bootctl_default)