Audit access to same_process_hal_file.

am: 81ade3dd

Change-Id: Ie3437cd699d16cbf72fca61c5646800d90feaa2a

private/isolated_app.te

@@ -47,6 +47,12 @@ allow isolated_app webview_zygote_tmpfs:file read;
 # suppress denials to /data/local/tmp
 dontaudit isolated_app shell_data_file:dir search;
 
+# TODO(b/37211678): give isolated_app explicit access to same_process_hal_file
+# if needed.
+userdebug_or_eng(`
+  auditallow isolated_app same_process_hal_file:file *;
+')
+
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 allow isolated_app traced:fd use;

public/domain.te

@@ -188,7 +188,22 @@ allow domain vendor_hal_file:dir r_dir_perms;
 
 # Everyone can read and execute all same process HALs
 allow domain same_process_hal_file:dir r_dir_perms;
+# TODO(b/37211678): whitelist domains that actually need same process HALs.
 allow domain same_process_hal_file:file { execute read open getattr map };
+# Touching same_process_hal_file indicates usage of SP-HALs or abuse of
+# same_process_hal_file label, which is what we are interested in.
+userdebug_or_eng(`
+  auditallow {
+    coredomain
+    -zygote
+    -hal_allocator_client
+    # Graphics mapper clients.
+    -hal_graphics_allocator_client
+    # Renderscript clients include { system_server appdomain -isolated_app }.
+    -appdomain
+    -system_server
+  } same_process_hal_file:file *;
+')
 
 # Any process can load vndk-sp libraries, which are system libraries
 # used by same process HALs