From 1aedf4b5f8bdc391c61a22d01278de70c26eb9e8 Mon Sep 17 00:00:00 2001
From: Andrew Scull <ascull@google.com>
Date: Wed, 10 Jan 2018 16:11:46 +0000
Subject: [PATCH] authsecret HAL policies.

Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
---
 private/app_neverallows.te          | 1 +
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/hwservice_contexts          | 1 +
 private/system_server.te            | 1 +
 public/attributes                   | 1 +
 public/hal_authsecret.te            | 5 +++++
 public/hwservice.te                 | 1 +
 public/su.te                        | 1 +
 vendor/hal_authsecret_default.te    | 5 +++++
 9 files changed, 17 insertions(+)
 create mode 100644 public/hal_authsecret.te
 create mode 100644 vendor/hal_authsecret_default.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c4cbfd859..5be16ecf2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -179,6 +179,7 @@ neverallow all_untrusted_apps {
 neverallow all_untrusted_apps {
   default_android_hwservice
   hal_audio_hwservice
+  hal_authsecret_hwservice
   hal_bluetooth_hwservice
   hal_bootctl_hwservice
   hal_camera_hwservice
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index b38eb15b2..244465864 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -11,6 +11,7 @@
     e2fs
     e2fs_exec
     fs_bpf
+    hal_authsecret_hwservice
     hal_broadcastradio_hwservice
     hal_cas_hwservice
     hal_lowpan_hwservice
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index a98c68a02..ce3cf8b38 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -3,6 +3,7 @@ android.frameworks.schedulerservice::ISchedulingPolicyService   u:object_r:fwk_s
 android.frameworks.sensorservice::ISensorManager                u:object_r:fwk_sensor_hwservice:s0
 android.hardware.audio.effect::IEffectsFactory                  u:object_r:hal_audio_hwservice:s0
 android.hardware.audio::IDevicesFactory                         u:object_r:hal_audio_hwservice:s0
+android.hardware.authsecret::IAuthSecret                        u:object_r:hal_authsecret_hwservice:s0
 android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
 android.hardware.bluetooth::IBluetoothHci                       u:object_r:hal_bluetooth_hwservice:s0
 android.hardware.boot::IBootControl                             u:object_r:hal_bootctl_hwservice:s0
diff --git a/private/system_server.te b/private/system_server.te
index c29d1b277..345c24ac4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -177,6 +177,7 @@ binder_service(system_server)
 
 # Use HALs
 hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
diff --git a/public/attributes b/public/attributes
index c25f1ebc8..5125c307b 100644
--- a/public/attributes
+++ b/public/attributes
@@ -198,6 +198,7 @@ expandattribute halclientdomain true;
 # HALs
 hal_attribute(allocator);
 hal_attribute(audio);
+hal_attribute(authsecret);
 hal_attribute(bluetooth);
 hal_attribute(bootctl);
 hal_attribute(broadcastradio);
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
new file mode 100644
index 000000000..81b0c0445
--- /dev/null
+++ b/public/hal_authsecret.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_authsecret_client, hal_authsecret_server)
+
+add_hwservice(hal_authsecret_server, hal_authsecret_hwservice)
+allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 19a72051b..fe4ab8870 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -3,6 +3,7 @@ type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
 type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
 type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hal_audio_hwservice, hwservice_manager_type;
+type hal_authsecret_hwservice, hwservice_manager_type;
 type hal_bluetooth_hwservice, hwservice_manager_type;
 type hal_bootctl_hwservice, hwservice_manager_type;
 type hal_broadcastradio_hwservice, hwservice_manager_type;
diff --git a/public/su.te b/public/su.te
index 88065f626..a8f2a350a 100644
--- a/public/su.te
+++ b/public/su.te
@@ -58,6 +58,7 @@ userdebug_or_eng(`
   typeattribute su halclientdomain;
   typeattribute su hal_allocator_client;
   typeattribute su hal_audio_client;
+  typeattribute su hal_authsecret_client;
   typeattribute su hal_bluetooth_client;
   typeattribute su hal_bootctl_client;
   typeattribute su hal_camera_client;
diff --git a/vendor/hal_authsecret_default.te b/vendor/hal_authsecret_default.te
new file mode 100644
index 000000000..46f5291cf
--- /dev/null
+++ b/vendor/hal_authsecret_default.te
@@ -0,0 +1,5 @@
+type hal_authsecret_default, domain;
+hal_server_domain(hal_authsecret_default, hal_authsecret)
+
+type hal_authsecret_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_authsecret_default)
-- 
GitLab