From 632bc494f199d9d85c37c1751667fe41f4b094cb Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 13 Apr 2017 19:05:27 -0700
Subject: [PATCH] Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.
Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
record video (slow motion and normal), and check that photos
look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
make and install CtsMediaTestCases.apk
adb shell am instrument -e size small \
-w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
fingerprint
Test: Apply OTA update:
Make some visible change, e.g., rename Settings app.
make otatools && \
make dist
Ensure device has network connectivity
ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
Confirm the change is now live on the device
Bug: 34454312
Change-Id: Iecf74000e6c68f01299667486f3c767912c076d3
---
private/app.te | 14 +++++--
private/bluetooth.te | 1 -
private/halclientdomain.te | 3 ++
private/hwservice_contexts | 53 ++++++++++++++++++++++++++-
private/hwservicemanager.te | 3 ++
private/keystore.te | 7 ++++
private/mediaserver.te | 4 ++
private/surfaceflinger.te | 4 +-
private/system_server.te | 26 +++++--------
private/vr_hwc.te | 2 +
public/cameraserver.te | 3 +-
public/domain.te | 18 ++++++++-
public/dumpstate.te | 4 +-
public/hal_allocator.te | 4 ++
public/hal_audio.te | 3 ++
public/hal_bluetooth.te | 3 ++
public/hal_bootctl.te | 3 ++
public/hal_camera.te | 3 +-
public/hal_configstore.te | 5 +++
public/hal_contexthub.te | 8 +++-
public/hal_drm.te | 5 +++
public/hal_dumpstate.te | 3 ++
public/hal_fingerprint.te | 3 ++
public/hal_gatekeeper.te | 3 ++
public/hal_gnss.te | 7 +++-
public/hal_graphics_allocator.te | 4 ++
public/hal_graphics_composer.te | 8 +++-
public/hal_health.te | 8 +++-
public/hal_ir.te | 8 +++-
public/hal_keymaster.te | 3 ++
public/hal_light.te | 8 +++-
public/hal_memtrack.te | 5 +++
public/hal_nfc.te | 3 ++
public/hal_oemlock.te | 3 ++
public/hal_power.te | 6 +++
public/hal_sensors.te | 3 ++
public/hal_telephony.te | 10 +++--
public/hal_thermal.te | 8 +++-
public/hal_tv_cec.te | 3 ++
public/hal_tv_input.te | 3 ++
public/hal_usb.te | 8 +++-
public/hal_vibrator.te | 6 +++
public/hal_vr.te | 8 +++-
public/hal_weaver.te | 3 ++
public/hal_wifi.te | 3 ++
public/hal_wifi_offload.te | 3 ++
public/hal_wifi_supplicant.te | 3 ++
public/healthd.te | 2 -
public/hwservice.te | 47 +++++++++++++++++++++++-
public/keystore.te | 7 ----
public/mediacodec.te | 2 +
public/mediaserver.te | 3 ++
public/radio.te | 1 -
public/te_macros | 1 +
vendor/hal_camera_default.te | 2 +
vendor/hal_sensors_default.te | 2 +
vendor/hal_wifi_supplicant_default.te | 1 +
57 files changed, 314 insertions(+), 63 deletions(-)
create mode 100644 public/hal_memtrack.te
create mode 100644 public/hal_power.te
diff --git a/private/app.te b/private/app.te
index b41ebec49..04f2f6520 100644
--- a/private/app.te
+++ b/private/app.te
@@ -69,6 +69,9 @@ allow appdomain appdomain:fifo_file rw_file_perms;
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+# Query whether a Surface supports wide color
+allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
# App sandbox file accesses.
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
@@ -174,9 +177,11 @@ binder_call(appdomain, appdomain)
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
-# hidl access for mediacodec
-# TODO(b/34454312): only allow getting and talking to mediacodec service
-hwbinder_use(appdomain)
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
@@ -277,6 +282,9 @@ binder_call({ appdomain -isolated_app }, mediacodec)
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 25e5c81e3..4742a5b43 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -57,7 +57,6 @@ allow bluetooth system_api_service:service_manager find;
allow bluetooth shell_data_file:file read;
hal_client_domain(bluetooth, hal_bluetooth)
-binder_call(bluetooth, hal_telephony)
hal_client_domain(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth)
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
index d4bdef93d..9dcd3ee38 100644
--- a/private/halclientdomain.te
+++ b/private/halclientdomain.te
@@ -8,3 +8,6 @@ hwbinder_use(halclientdomain)
# Used to wait for hwservicemanager
get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9330041a7..9ecf69f1c 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,2 +1,51 @@
-android.hardware.camera.provider::ICameraProvider u:object_r:hw_camera_provider_ICameraProvider:s0
-* u:object_r:default_android_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
+android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
+android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
+android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
+android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 627b93f5f..a43eb0206 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -1,3 +1,6 @@
typeattribute hwservicemanager coredomain;
init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/private/keystore.te b/private/keystore.te
index 6aa888429..a9647c631 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,3 +1,10 @@
typeattribute keystore coredomain;
init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 08c3f9b2c..a9b85be0c 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -4,3 +4,7 @@ init_daemon_domain(mediaserver)
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index eeea1852d..3e91d2115 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -10,11 +10,11 @@ typeattribute surfaceflinger mlstrustedsubject;
read_runtime_log_tags(surfaceflinger)
# Perform HwBinder IPC.
-hwbinder_use(surfaceflinger)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
-binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_configstore)
+allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
binder_use(surfaceflinger)
diff --git a/private/system_server.te b/private/system_server.te
index 89b14a926..3dee16a42 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -170,39 +170,29 @@ binder_call(system_server, netd)
binder_call(system_server, wificond)
binder_service(system_server)
-# Perform HwBinder IPC.
-hwbinder_use(system_server)
+# Use HALs
hal_client_domain(system_server, hal_allocator)
-binder_call(system_server, hal_contexthub)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
-binder_call(system_server, hal_gnss)
hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator)
-binder_call(system_server, hal_ir)
hal_client_domain(system_server, hal_ir)
-binder_call(system_server, hal_light)
hal_client_domain(system_server, hal_light)
-binder_call(system_server, hal_memtrack)
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_oemlock)
-binder_call(system_server, hal_power)
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors)
-binder_call(system_server, hal_thermal)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_input)
-binder_call(system_server, hal_usb)
hal_client_domain(system_server, hal_usb)
-binder_call(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vibrator)
-binder_call(system_server, hal_vr)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver)
hal_client_domain(system_server, hal_wifi)
hal_client_domain(system_server, hal_wifi_offload)
-
hal_client_domain(system_server, hal_wifi_supplicant)
binder_call(system_server, mediacodec)
@@ -210,6 +200,13 @@ binder_call(system_server, mediacodec)
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
# Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
@@ -640,9 +637,6 @@ r_dir_file(system_server, proc_net)
r_dir_file(system_server, rootfs)
r_dir_file(system_server, sysfs_type)
-# Allow system_server to make binder calls to hwservicemanager
-binder_call(system_server, hwservicemanager)
-
### Rules needed when Light HAL runs inside system_server process.
### These rules should eventually be granted only when needed.
allow system_server sysfs_leds:lnk_file read;
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
index 51d242061..053c03d98 100644
--- a/private/vr_hwc.te
+++ b/private/vr_hwc.te
@@ -2,3 +2,5 @@ typeattribute vr_hwc coredomain;
# Daemon started by init.
init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 2a243cc5e..0dd4a80ce 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,7 +8,6 @@ binder_call(cameraserver, appdomain)
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
-allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
hal_client_domain(cameraserver, hal_graphics_allocator)
@@ -27,6 +26,8 @@ allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
###
### neverallow rules
###
diff --git a/public/domain.te b/public/domain.te
index 64539781d..886a499b7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -212,8 +212,6 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-# TODO(b/34454312) remove this when the correct policy is in place
-allow domain default_android_hwservice:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
# when it's not explicitly used in allow rules
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
@@ -433,6 +431,22 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set
# from service name to service_type are defined in service_contexts.
neverallow * default_android_service:service_manager add;
+# Do not allow hwservice_manager add for default_android_hwservice.
+# Instead domains should use a more specific type such as
+# hal_audio_hwservice rather than the generic type.
+# New service_types are defined in hwservice.te and new mappings
+# from service name to service_type are defined in hwservice_contexts.
+neverallow * default_android_hwservice:hwservice_manager { add find };
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init } default_prop:property_service set;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3322e1468..7cecdbf88 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -94,10 +94,8 @@ r_dir_file(dumpstate, cgroup)
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
-# Vibrate the device after we are done collecting the bugreport
-# For binderized mode:
hal_client_domain(dumpstate, hal_dumpstate)
-binder_call(dumpstate, hal_vibrator)
+# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index b444593ba..646cebdeb 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -1,2 +1,6 @@
# HwBinder IPC from client to server
binder_call(hal_allocator_client, hal_allocator_server)
+
+add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 3531944a0..9539ff40f 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -2,6 +2,9 @@
binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client)
+add_hwservice(hal_audio_server, hal_audio_hwservice)
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+
allow hal_audio ion_device:chr_file r_file_perms;
userdebug_or_eng(`
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 46fd9d718..c04cd0865 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -2,6 +2,9 @@
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
+add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
+allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+
wakelock_use(hal_bluetooth);
# The HAL toggles rfkill to power the chip off/on.
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index b731fd69d..8b240b1ce 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -1,3 +1,6 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)
+
+add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
+allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index a00bf9f42..b77ff3a4d 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,7 +2,8 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
-add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+add_hwservice(hal_camera_server, hal_camera_hwservice)
+allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 1a8b88b3b..4bf6cfd52 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,2 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)
+
+add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
+# As opposed to the rules of most other HALs, the different services exposed by
+# this HAL should be restricted to different clients. Thus, the allow rules for
+# clients are defined in the .te files of the clients.
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index d991e9dfe..f11bfc816 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_contexthub, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
+allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index a773dd5fc..2600843f6 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -2,6 +2,11 @@
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
+add_hwservice(hal_drm_server, hal_drm_hwservice)
+allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 884b6fc2e..2853567e0 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,6 +2,9 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
+add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
+allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 580ef3796..bef9f556e 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -2,6 +2,9 @@
binder_call(hal_fingerprint_client, hal_fingerprint_server)
binder_call(hal_fingerprint_server, hal_fingerprint_client)
+add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
+allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+
# allow HAL module to read dir contents
allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 618a2ee64..123acf567 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,5 +1,8 @@
binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
+add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
+allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 753791bbf..b59cd1d5a 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -1 +1,6 @@
-binder_call(hal_gnss, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+add_hwservice(hal_gnss_server, hal_gnss_hwservice)
+allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index e43475149..5f2f098ca 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,6 +1,10 @@
# HwBinder IPC from client to server
binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 9ba0bdb17..2d8483d3c 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -1,5 +1,9 @@
-# IComposerCallback
-binder_call(hal_graphics_composer, surfaceflinger)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+
+add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
+allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
diff --git a/public/hal_health.te b/public/hal_health.te
index 341efdd20..c19c5f1d7 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -1,5 +1,9 @@
-# call into healthd for callbacks
-binder_call(hal_health, healthd)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+add_hwservice(hal_health_server, hal_health_hwservice)
+allow hal_health_client hal_health_hwservice:hwservice_manager find;
# Read access to system files for HALs in
# /{system,vendor,odm}/lib[64]/hw/ in order
diff --git a/public/hal_ir.te b/public/hal_ir.te
index adfb5ae18..b1bfdd804 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_ir, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+add_hwservice(hal_ir_server, hal_ir_hwservice)
+allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index afcd0bd9d..dc5f6d01d 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,5 +1,8 @@
# HwBinder IPC from client to server
binder_call(hal_keymaster_client, hal_keymaster_server)
+add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
+allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
index 145b02e7f..5b93dd115 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_light, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+add_hwservice(hal_light_server, hal_light_hwservice)
+allow hal_light_client hal_light_hwservice:hwservice_manager find;
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file rw_file_perms;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
new file mode 100644
index 000000000..b2cc9cd1e
--- /dev/null
+++ b/public/hal_memtrack.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
+allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index d289ef7f7..349dea6a3 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -2,6 +2,9 @@
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
+add_hwservice(hal_nfc_server, hal_nfc_hwservice)
+allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index 69870ec29..3fb5a1871 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -1,2 +1,5 @@
# HwBinder IPC from client to server
binder_call(hal_oemlock_client, hal_oemlock_server)
+
+add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
+allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
diff --git a/public/hal_power.te b/public/hal_power.te
new file mode 100644
index 000000000..fcba3d25d
--- /dev/null
+++ b/public/hal_power.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+add_hwservice(hal_power_server, hal_power_hwservice)
+allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 567b0bee1..3cf3069ce 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -1,6 +1,9 @@
# HwBinder IPC from client to server
binder_call(hal_sensors_client, hal_sensors_server)
+add_hwservice(hal_sensors_server, hal_sensors_hwservice)
+allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 704adc096..41cfd4bf3 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -1,3 +1,7 @@
-# Perform HwBinder IPC.
-binder_call(hal_telephony, radio)
-binder_call(hal_telephony, bluetooth)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+add_hwservice(hal_telephony_server, hal_telephony_hwservice)
+allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index a59a97885..b1764f114 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_thermal, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+add_hwservice(hal_thermal_server, hal_thermal_hwservice)
+allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
index aa85b926e..7719cae92 100644
--- a/public/hal_tv_cec.te
+++ b/public/hal_tv_cec.te
@@ -1,3 +1,6 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_tv_cec_client, hal_tv_cec_server)
binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
+allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 5276ddfea..31a006740 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -1,3 +1,6 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_tv_input_client, hal_tv_input_server)
binder_call(hal_tv_input_server, hal_tv_input_client)
+
+add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
+allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 5c31c065c..9cfd5165d 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_usb, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+add_hwservice(hal_usb_server, hal_usb_hwservice)
+allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
allow hal_usb self:netlink_kobject_uevent_socket create;
allow hal_usb self:netlink_kobject_uevent_socket setopt;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 0d9d308df..c8612d77a 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,2 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+
+add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
+allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 08102ad80..3cb392d14 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -1,2 +1,6 @@
-# call into system_server process
-binder_call(hal_vr, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+add_hwservice(hal_vr_server, hal_vr_hwservice)
+allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index 78d2b7553..b80ba292c 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -1,2 +1,5 @@
# HwBinder IPC from client to server
binder_call(hal_weaver_client, hal_weaver_server)
+
+add_hwservice(hal_weaver_server, hal_weaver_hwservice)
+allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index e06d8f9b0..5e0b9bc49 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -2,6 +2,9 @@
binder_call(hal_wifi_client, hal_wifi_server)
binder_call(hal_wifi_server, hal_wifi_client)
+add_hwservice(hal_wifi_server, hal_wifi_hwservice)
+allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+
r_dir_file(hal_wifi, proc_net)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index dac5171b1..dc0cf5a73 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -2,5 +2,8 @@
binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
+add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
+allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
+
r_dir_file(hal_wifi_offload, proc_net)
r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 49ce4fa6e..0f2540e40 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -2,6 +2,9 @@
binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
+allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/healthd.te b/public/healthd.te
index 8737dbe5f..c0a7bec7b 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -24,8 +24,6 @@ wakelock_use(healthd)
binder_use(healthd)
binder_service(healthd)
binder_call(healthd, system_server)
-binder_call(healthd, hwservicemanager)
-binder_call(healthd, hal_health)
hal_client_domain(healthd, hal_health)
# Write to state file.
diff --git a/public/hwservice.te b/public/hwservice.te
index cf5962942..8b641fb6a 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,2 +1,45 @@
-type default_android_hwservice, hwservice_manager_type;
-type hw_camera_provider_ICameraProvider, hwservice_manager_type;
+type default_android_hwservice, hwservice_manager_type;
+type fwk_scheduler_hwservice, hwservice_manager_type;
+type fwk_sensor_hwservice, hwservice_manager_type;
+type hal_audio_hwservice, hwservice_manager_type;
+type hal_bluetooth_hwservice, hwservice_manager_type;
+type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_camera_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_contexthub_hwservice, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_fingerprint_hwservice, hwservice_manager_type;
+type hal_gatekeeper_hwservice, hwservice_manager_type;
+type hal_gnss_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_composer_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type;
+type hal_health_hwservice, hwservice_manager_type;
+type hal_ir_hwservice, hwservice_manager_type;
+type hal_keymaster_hwservice, hwservice_manager_type;
+type hal_light_hwservice, hwservice_manager_type;
+type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_nfc_hwservice, hwservice_manager_type;
+type hal_oemlock_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_power_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type;
+type hal_sensors_hwservice, hwservice_manager_type;
+type hal_telephony_hwservice, hwservice_manager_type;
+type hal_thermal_hwservice, hwservice_manager_type;
+type hal_tv_cec_hwservice, hwservice_manager_type;
+type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_usb_hwservice, hwservice_manager_type;
+type hal_vibrator_hwservice, hwservice_manager_type;
+type hal_vr_hwservice, hwservice_manager_type;
+type hal_weaver_hwservice, hwservice_manager_type;
+type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_offload_hwservice, hwservice_manager_type;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type;
+type hidl_memory_hwservice, hwservice_manager_type;
+type hidl_token_hwservice, hwservice_manager_type;
+type system_wifi_keystore_hwservice, hwservice_manager_type;
diff --git a/public/keystore.te b/public/keystore.te
index 378949a98..2c3118510 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -7,13 +7,6 @@ binder_use(keystore)
binder_service(keystore)
binder_call(keystore, system_server)
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# Offer the Wifi Keystore HwBinder service
-hwbinder_use(keystore)
-typeattribute keystore wifi_keystore_service_server;
-
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 3445c7a62..5c1ccbf52 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -34,6 +34,8 @@ allow mediacodec hal_camera:fd use;
crash_dump_fallback(mediacodec)
+add_hwservice(mediacodec, hal_omx_hwservice)
+
hal_client_domain(mediacodec, hal_allocator)
# allocate and use graphic buffers
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 8c9ef31f2..cf539f8ee 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -95,6 +95,9 @@ allow mediaserver surfaceflinger_service:service_manager find;
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
+# For interfacing with OMX HAL
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
diff --git a/public/radio.te b/public/radio.te
index 8c3c6a5a3..f5604fd43 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -37,5 +37,4 @@ allow radio system_api_service:service_manager find;
# Perform HwBinder IPC.
hwbinder_use(radio)
-binder_call(radio, hal_telephony)
hal_client_domain(radio, hal_telephony)
diff --git a/public/te_macros b/public/te_macros
index beec54640..661585aa1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -509,6 +509,7 @@ define(`add_service', `
# others from adding it.
define(`add_hwservice', `
allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
')
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 8f86a2717..239e5c19b 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -3,3 +3,5 @@ hal_server_domain(hal_camera_default, hal_camera)
type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
+
+allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 5ba4aaba2..8379c8279 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -3,3 +3,5 @@ hal_server_domain(hal_sensors_default, hal_sensors)
type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_sensors_default)
+
+allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 62b03be4a..8d7069c96 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -10,4 +10,5 @@ type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "socke
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)
+allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
--
GitLab