Merge "Find hal_foo_hwservice -> you are hal_foo_client."

58f4c6f0 · Steven Moreland · Gerrit Code Review · 93953d0b · 8fc79818 · 58f4c6f0
Commit 58f4c6f0 authored 6 years ago by Steven Moreland Committed by Gerrit Code Review 6 years ago
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -12,6 +12,10 @@
 (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
 (typeattributeset halclientdomain (hal_allocator_client))
+; Apps, except isolated apps, are clients of OMX-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_configstore_client;

--- a/public/app.te
+++ b/public/app.te
@@ -219,15 +219,6 @@ binder_call(appdomain, appdomain)
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
-# TODO(b/80317992): use hal_client_domain on individual domains or have tests
-#     that the required individual permissions are all granted
-hwbinder_use({ appdomain  -isolated_app })
-allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
-get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-binder_call({ appdomain -isolated_app }, hal_omx_server)
 # Talk with graphics composer fences
 allow appdomain hal_graphics_composer:fd use;

--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -3,7 +3,7 @@ binder_call(hal_audio_client, hal_audio_server)
 binder_call(hal_audio_server, hal_audio_client)
 add_hwservice(hal_audio_server, hal_audio_hwservice)
-allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_audio, hal_audio_hwservice)
 allow hal_audio ion_device:chr_file r_file_perms;

--- a/public/hal_audiocontrol.te
+++ b/public/hal_audiocontrol.te
@@ -3,5 +3,4 @@ binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
 binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
 add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
+hal_attribute_hwservice_client(hal_audiocontrol, hal_audiocontrol_hwservice)
-allow hal_audiocontrol_client hal_audiocontrol_hwservice:hwservice_manager find;
--- a/public/hal_authsecret.te
+++ b/public/hal_authsecret.te
@@ -2,4 +2,4 @@
 binder_call(hal_authsecret_client, hal_authsecret_server)
 add_hwservice(hal_authsecret_server, hal_authsecret_hwservice)
-allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_authsecret, hal_authsecret_hwservice)
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -3,7 +3,7 @@ binder_call(hal_bluetooth_client, hal_bluetooth_server)
 binder_call(hal_bluetooth_server, hal_bluetooth_client)
 add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
-allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_bluetooth, hal_bluetooth_hwservice)
 wakelock_use(hal_bluetooth);

--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,6 +3,6 @@ binder_call(hal_bootctl_client, hal_bootctl_server)
 binder_call(hal_bootctl_server, hal_bootctl_client)
 add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
-allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_bootctl, hal_bootctl_hwservice)
 dontaudit hal_bootctl self:capability sys_rawio;
--- a/public/hal_broadcastradio.te
+++ b/public/hal_broadcastradio.te
 binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
 add_hwservice(hal_broadcastradio_server, hal_broadcastradio_hwservice)
-allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_broadcastradio, hal_broadcastradio_hwservice)
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -3,7 +3,7 @@ binder_call(hal_camera_client, hal_camera_server)
 binder_call(hal_camera_server, hal_camera_client)
 add_hwservice(hal_camera_server, hal_camera_hwservice)
-allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_camera, hal_camera_hwservice)
 allow hal_camera device:dir r_dir_perms;
 allow hal_camera video_device:dir r_dir_perms;

--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -3,7 +3,7 @@ binder_call(hal_cas_client, hal_cas_server)
 binder_call(hal_cas_server, hal_cas_client)
 add_hwservice(hal_cas_server, hal_cas_hwservice)
-allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_cas, hal_cas_hwservice)
 allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
 # Permit reading device's serial number from system properties

--- a/public/hal_confirmationui.te
+++ b/public/hal_confirmationui.te
@@ -2,4 +2,4 @@
 binder_call(hal_confirmationui_client, hal_confirmationui_server)
 add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
-allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_confirmationui, hal_confirmationui_hwservice)
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -3,4 +3,4 @@ binder_call(hal_contexthub_client, hal_contexthub_server)
 binder_call(hal_contexthub_server, hal_contexthub_client)
 add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
-allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_contexthub, hal_contexthub_hwservice)
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -3,7 +3,7 @@ binder_call(hal_drm_client, hal_drm_server)
 binder_call(hal_drm_server, hal_drm_client)
 add_hwservice(hal_drm_server, hal_drm_hwservice)
-allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_drm, hal_drm_hwservice)
 allow hal_drm hidl_memory_hwservice:hwservice_manager find;

--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -3,7 +3,7 @@ binder_call(hal_dumpstate_client, hal_dumpstate_server)
 binder_call(hal_dumpstate_server, hal_dumpstate_client)
 add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
-allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_dumpstate, hal_dumpstate_hwservice)
 # write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
 allow hal_dumpstate shell_data_file:file write;

--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -3,7 +3,7 @@ binder_call(hal_fingerprint_client, hal_fingerprint_server)
 binder_call(hal_fingerprint_server, hal_fingerprint_client)
 add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
-allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_fingerprint, hal_fingerprint_hwservice)
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;

--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
 binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
 add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
-allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_gatekeeper, hal_gatekeeper_hwservice)
 # TEE access.
 allow hal_gatekeeper tee_device:chr_file rw_file_perms;

--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -3,4 +3,4 @@ binder_call(hal_gnss_client, hal_gnss_server)
 binder_call(hal_gnss_server, hal_gnss_client)
 add_hwservice(hal_gnss_server, hal_gnss_hwservice)
-allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_gnss, hal_gnss_hwservice)
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -2,7 +2,7 @@
 binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
 add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
-allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_graphics_allocator, hal_graphics_allocator_hwservice)
 allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
 # GPU device access

--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -3,7 +3,7 @@ binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
 binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
 add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
-allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_graphics_composer, hal_graphics_composer_hwservice)
 # Coordinate with hal_graphics_mapper
 allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;

--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -3,7 +3,7 @@ binder_call(hal_health_client, hal_health_server)
 binder_call(hal_health_server, hal_health_client)
 add_hwservice(hal_health_server, hal_health_hwservice)
-allow hal_health_client hal_health_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_health, hal_health_hwservice)
 # Read access to system files for HALs in
 # /{system,vendor,odm}/lib[64]/hw/ in order