From 5007c10a51a150d3af9c29e1392279ffbf9347d9 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 17 Apr 2017 12:53:40 -0700
Subject: [PATCH] Apps and system_server are gralloc HAL clients

This commit marks system_server and app domains (except isolated_app)
as clients of Graphics Allocator HAL. This makes the policy cleaner
and prepares ground for restricting access to HwBinder services.

Test: Play video in YouTube app and in Google Chrome YouTube web page
Test: Using Google Camera app, take an HDR+ photo, a conventional
      photo, record a video with sound and a slow motion video with
      sound, then check that photos look good and videos play back
      fine, including sound.
Bug: 34454312
Change-Id: Iea04d38fa5520432f06af94570fa6ce16ed7979a
---
 private/app.te             | 3 ---
 private/system_server.te   | 3 +--
 private/technical_debt.cil | 5 +++++
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/private/app.te b/private/app.te
index 2fddb444f..4c5cb380d 100644
--- a/private/app.te
+++ b/private/app.te
@@ -270,9 +270,6 @@ auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write app
 # TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
 get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
 
-# Allow app to access the graphic allocator HAL
-binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
-
 # Allow app access to mediacodec (IOMX HAL)
 binder_call({ appdomain -isolated_app }, mediacodec)
 
diff --git a/private/system_server.te b/private/system_server.te
index 0f0dcdc55..404a253aa 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -175,7 +175,7 @@ hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)
 binder_call(system_server, hal_gnss)
 hal_client_domain(system_server, hal_gnss)
-binder_call(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_graphics_allocator)
 binder_call(system_server, hal_ir)
 hal_client_domain(system_server, hal_ir)
 binder_call(system_server, hal_light)
@@ -627,7 +627,6 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi
 
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
-allow system_server hal_graphics_allocator:fd use;
 
 r_dir_file(system_server, proc)
 r_dir_file(system_server, proc_meminfo)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index abc21a758..e95e555a6 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -12,6 +12,11 @@
 (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
 (typeattributeset halclientdomain (hal_allocator_client))
 
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Domains hosting Camera HAL implementations are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute hal_camera hal_allocator_client;
-- 
GitLab