From 09d13e734d651e8cb92187f477e3cdc485128311 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 16 Mar 2017 19:17:15 -0700
Subject: [PATCH] Switch Boot Control HAL policy to _client/_server

This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.

Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.

Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.

P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
---
 private/system_server.te      |  1 -
 public/attributes             |  8 +++-----
 public/boot_control_hal.te    |  2 --
 public/device.te              |  3 ---
 public/hal_boot.te            |  5 -----
 public/hal_bootctl.te         |  3 +++
 public/recovery.te            |  3 ++-
 public/update_engine.te       |  8 +++-----
 public/update_verifier.te     | 11 +++--------
 vendor/file_contexts          |  2 +-
 vendor/hal_boot.te            |  6 ------
 vendor/hal_bootctl_default.te |  6 ++++++
 12 files changed, 21 insertions(+), 37 deletions(-)
 delete mode 100644 public/boot_control_hal.te
 delete mode 100644 public/hal_boot.te
 create mode 100644 public/hal_bootctl.te
 delete mode 100644 vendor/hal_boot.te
 create mode 100644 vendor/hal_bootctl_default.te

diff --git a/private/system_server.te b/private/system_server.te
index 58a25e29c..602924345 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -174,7 +174,6 @@ binder_service(system_server)
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
 hwallocator_use(system_server)
-binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)
diff --git a/public/attributes b/public/attributes
index a0c1f9397..799a4fd78 100644
--- a/public/attributes
+++ b/public/attributes
@@ -110,11 +110,6 @@ attribute bluetoothdomain;
 # All domains used for binder service domains.
 attribute binderservicedomain;
 
-# All domains that access the boot_control HAL. The permissions the HAL
-# requires are specific to the implementation provided in each device, but
-# common daemons need to be aware of those when calling into the HAL.
-attribute boot_control_hal;
-
 # update_engine related domains that need to apply an update and run
 # postinstall. This includes the background daemon and the sideload tool from
 # recovery for A/B devices.
@@ -132,6 +127,9 @@ attribute hal_audio_server;
 attribute hal_bluetooth;
 attribute hal_bluetooth_client;
 attribute hal_bluetooth_server;
+attribute hal_bootctl;
+attribute hal_bootctl_client;
+attribute hal_bootctl_server;
 attribute hal_camera;
 attribute hal_camera_client;
 attribute hal_camera_server;
diff --git a/public/boot_control_hal.te b/public/boot_control_hal.te
deleted file mode 100644
index 2a670b39b..000000000
--- a/public/boot_control_hal.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow read/write bootctrl block device, if one is defined.
-allow boot_control_hal bootctrl_block_device:blk_file rw_file_perms;
diff --git a/public/device.te b/public/device.te
index 633515fe9..c9c64dc00 100644
--- a/public/device.te
+++ b/public/device.te
@@ -99,6 +99,3 @@ type metadata_block_device, dev_type;
 
 # The 'misc' partition used by recovery and A/B.
 type misc_block_device, dev_type;
-
-# Bootctrl block device used by A/B update (update_engine, update_verifier).
-type bootctrl_block_device, dev_type;
diff --git a/public/hal_boot.te b/public/hal_boot.te
deleted file mode 100644
index 870f1e4d7..000000000
--- a/public/hal_boot.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# boot_control subsystem
-type hal_boot, domain, boot_control_hal;
-
-# call into system_server process (callbacks)
-binder_call(hal_boot, system_server)
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
new file mode 100644
index 000000000..b731fd69d
--- /dev/null
+++ b/public/hal_bootctl.te
@@ -0,0 +1,3 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_bootctl_client, hal_bootctl_server)
+binder_call(hal_bootctl_server, hal_bootctl_client)
diff --git a/public/recovery.te b/public/recovery.te
index 11c01ed50..a61c8e94f 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -8,7 +8,8 @@ type recovery, domain, domain_deprecated;
 # Otherwise recovery is only allowed the domain rules.
 recovery_only(`
   # Allow recovery to perform an update as update_engine would do.
-  typeattribute recovery update_engine_common, boot_control_hal;
+  typeattribute recovery update_engine_common;
+  hal_client_domain(recovery, hal_bootctl)
 
   allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
 
diff --git a/public/update_engine.te b/public/update_engine.te
index 31ba14f74..33eb2a80e 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,6 +1,5 @@
 # Domain for update_engine daemon.
-# update_engine uses the boot_control_hal.
-type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
+type update_engine, domain, domain_deprecated, update_engine_common;
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;
 
@@ -39,6 +38,5 @@ binder_call(update_engine, priv_app)
 allow update_engine ota_package_file:file r_file_perms;
 allow update_engine ota_package_file:dir r_dir_perms;
 
-# Use binderized HAL
-hwbinder_use(update_engine)
-binder_call(update_engine, hal_boot)
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 848215945..8c8e9a976 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -1,11 +1,7 @@
 # update_verifier
-# update_verifier uses the boot_control_hal.
-type update_verifier, domain, boot_control_hal;
+type update_verifier, domain;
 type update_verifier_exec, exec_type, file_type;
 
-# find the boot_control_hal
-allow update_verifier system_file:dir r_dir_perms;
-
 # Allow update_verifier to reach block devices in /dev/block.
 allow update_verifier block_device:dir search;
 
@@ -16,6 +12,5 @@ allow update_verifier ota_package_file:file r_file_perms;
 # Read all blocks in dm wrapped system partition.
 allow update_verifier dm_device:blk_file r_file_perms;
 
-# Use binderized HAL
-hwbinder_use(update_verifier)
-binder_call(update_verifier, hal_boot)
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 98317e32c..4e74f009e 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,7 +4,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_bootctl_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service    u:object_r:hal_configstore_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
diff --git a/vendor/hal_boot.te b/vendor/hal_boot.te
deleted file mode 100644
index 666eacdbf..000000000
--- a/vendor/hal_boot.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# boot_control subsystem
-
-hal_impl_domain(hal_boot)
-
-type hal_boot_exec, exec_type, file_type;
-init_daemon_domain(hal_boot)
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
new file mode 100644
index 000000000..9986fb5c7
--- /dev/null
+++ b/vendor/hal_bootctl_default.te
@@ -0,0 +1,6 @@
+# Boot control subsystem
+type hal_bootctl_default, domain;
+hal_server_domain(hal_bootctl_default, hal_bootctl)
+
+type hal_bootctl_default_exec, exec_type, file_type;
+init_daemon_domain(hal_bootctl_default)
-- 
GitLab