Restrict access to hwservicemanager

This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31

public/hal_vibrator.te

+# HwBinder IPC from client to server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+
+add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
+allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+
 # vibrator sysfs rw access
 allow hal_vibrator sysfs_vibrator:file rw_file_perms;

public/hal_vr.te

-# call into system_server process
-binder_call(hal_vr, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+add_hwservice(hal_vr_server, hal_vr_hwservice)
+allow hal_vr_client hal_vr_hwservice:hwservice_manager find;

public/hal_wifi.te

@@ -2,6 +2,9 @@
 binder_call(hal_wifi_client, hal_wifi_server)
 binder_call(hal_wifi_server, hal_wifi_client)
 
+add_hwservice(hal_wifi_server, hal_wifi_hwservice)
+allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+
 r_dir_file(hal_wifi, proc_net)
 r_dir_file(hal_wifi, sysfs_type)
 

public/hal_wifi_supplicant.te

@@ -2,6 +2,9 @@
 binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
 binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
 
+add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
+allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+
 # in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
 allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
 

public/healthd.te

@@ -24,8 +24,6 @@ wakelock_use(healthd)
 binder_use(healthd)
 binder_service(healthd)
 binder_call(healthd, system_server)
-binder_call(healthd, hwservicemanager)
-binder_call(healthd, hal_health)
 hal_client_domain(healthd, hal_health)
 
 # Write to state file.

public/hwservice.te

-type default_android_hwservice,   hwservice_manager_type;
-type hw_camera_provider_ICameraProvider,             hwservice_manager_type;
+type default_android_hwservice, hwservice_manager_type;
+type fwk_scheduler_hwservice, hwservice_manager_type;
+type fwk_sensor_hwservice, hwservice_manager_type;
+type hal_audio_hwservice, hwservice_manager_type;
+type hal_bluetooth_hwservice, hwservice_manager_type;
+type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_camera_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_contexthub_hwservice, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_fingerprint_hwservice, hwservice_manager_type;
+type hal_gatekeeper_hwservice, hwservice_manager_type;
+type hal_gnss_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_composer_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type;
+type hal_health_hwservice, hwservice_manager_type;
+type hal_ir_hwservice, hwservice_manager_type;
+type hal_keymaster_hwservice, hwservice_manager_type;
+type hal_light_hwservice, hwservice_manager_type;
+type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_nfc_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_power_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type;
+type hal_sensors_hwservice, hwservice_manager_type;
+type hal_telephony_hwservice, hwservice_manager_type;
+type hal_thermal_hwservice, hwservice_manager_type;
+type hal_tv_cec_hwservice, hwservice_manager_type;
+type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_usb_hwservice, hwservice_manager_type;
+type hal_vibrator_hwservice, hwservice_manager_type;
+type hal_vr_hwservice, hwservice_manager_type;
+type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type;
+type hidl_memory_hwservice, hwservice_manager_type;
+type hidl_token_hwservice, hwservice_manager_type;
+type system_wifi_keystore_hwservice, hwservice_manager_type;

public/keystore.te

@@ -7,13 +7,6 @@ binder_use(keystore)
 binder_service(keystore)
 binder_call(keystore, system_server)
 
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# Offer the Wifi Keystore HwBinder service
-hwbinder_use(keystore)
-typeattribute keystore wifi_keystore_service_server;
-
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };

public/mediacodec.te

@@ -34,6 +34,8 @@ allow mediacodec hal_camera:fd use;
 
 crash_dump_fallback(mediacodec)
 
+add_hwservice(mediacodec, hal_omx_hwservice)
+
 hal_client_domain(mediacodec, hal_allocator)
 
 # allocate and use graphic buffers

public/mediaserver.te

@@ -95,6 +95,9 @@ allow mediaserver surfaceflinger_service:service_manager find;
 # for ModDrm/MediaPlayer
 allow mediaserver mediadrmserver_service:service_manager find;
 
+# For interfacing with OMX HAL
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
 # /oem access
 allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;

public/radio.te

@@ -37,5 +37,4 @@ allow radio system_api_service:service_manager find;
 
 # Perform HwBinder IPC.
 hwbinder_use(radio)
-binder_call(radio, hal_telephony)
 hal_client_domain(radio, hal_telephony)

public/te_macros

@@ -509,6 +509,7 @@ define(`add_service', `
 # others from adding it.
 define(`add_hwservice', `
   allow $1 $2:hwservice_manager { add find };
+  allow $1 hidl_base_hwservice:hwservice_manager add;
   neverallow { domain -$1 } $2:hwservice_manager add;
 ')
 

vendor/hal_camera_default.te

@@ -3,3 +3,5 @@ hal_server_domain(hal_camera_default, hal_camera)
 
 type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_camera_default)
+
+allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;

vendor/hal_sensors_default.te

@@ -3,3 +3,5 @@ hal_server_domain(hal_sensors_default, hal_sensors)
 
 type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_sensors_default)
+
+allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;

vendor/hal_wifi_supplicant_default.te

@@ -10,4 +10,5 @@ type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "socke
 
 # Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
 hwbinder_use(hal_wifi_supplicant_default)
+allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
 binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)