Restrict access to hwservicemanager

This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
Change-Id: Iecf74000e6c68f01299667486f3c767912c076d3

public/hal_drm.te

@@ -2,6 +2,11 @@
 binder_call(hal_drm_client, hal_drm_server)
 binder_call(hal_drm_server, hal_drm_client)
 
+add_hwservice(hal_drm_server, hal_drm_hwservice)
+allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
 # Required by Widevine DRM (b/22990512)
 allow hal_drm self:process execmem;
 

public/hal_dumpstate.te

@@ -2,6 +2,9 @@
 binder_call(hal_dumpstate_client, hal_dumpstate_server)
 binder_call(hal_dumpstate_server, hal_dumpstate_client)
 
+add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
+allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+
 # write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
 allow hal_dumpstate shell_data_file:file write;
 # allow reading /proc/interrupts for all hal impls

public/hal_fingerprint.te

@@ -2,6 +2,9 @@
 binder_call(hal_fingerprint_client, hal_fingerprint_server)
 binder_call(hal_fingerprint_server, hal_fingerprint_client)
 
+add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
+allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+
 # allow HAL module to read dir contents
 allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
 

public/hal_gatekeeper.te

 binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
 
+add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
+allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+
 # TEE access.
 allow hal_gatekeeper tee_device:chr_file rw_file_perms;
 allow hal_gatekeeper ion_device:chr_file r_file_perms;

public/hal_gnss.te

-binder_call(hal_gnss, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+add_hwservice(hal_gnss_server, hal_gnss_hwservice)
+allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;

public/hal_graphics_allocator.te

 # HwBinder IPC from client to server
 binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
 
+add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+
 # GPU device access
 allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
 allow hal_graphics_allocator ion_device:chr_file r_file_perms;

public/hal_graphics_composer.te

-# IComposerCallback
-binder_call(hal_graphics_composer, surfaceflinger)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+
+add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
+allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
 
 # GPU device access
 allow hal_graphics_composer gpu_device:chr_file rw_file_perms;

public/hal_health.te

-# call into healthd for callbacks
-binder_call(hal_health, healthd)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+add_hwservice(hal_health_server, hal_health_hwservice)
+allow hal_health_client hal_health_hwservice:hwservice_manager find;
 
 # Read access to system files for HALs in
 # /{system,vendor,odm}/lib[64]/hw/ in order

public/hal_ir.te

-# call into system_server process (callbacks)
-binder_call(hal_ir, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+add_hwservice(hal_ir_server, hal_ir_hwservice)
+allow hal_ir_client hal_ir_hwservice:hwservice_manager find;

public/hal_keymaster.te

 # HwBinder IPC from client to server
 binder_call(hal_keymaster_client, hal_keymaster_server)
 
+add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
+allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+
 allow hal_keymaster tee_device:chr_file rw_file_perms;
 allow hal_keymaster ion_device:chr_file r_file_perms;

public/hal_light.te

-# call into system_server process (callbacks)
-binder_call(hal_light, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+add_hwservice(hal_light_server, hal_light_hwservice)
+allow hal_light_client hal_light_hwservice:hwservice_manager find;
 
 allow hal_light sysfs_leds:lnk_file read;
 allow hal_light sysfs_leds:file rw_file_perms;

public/hal_memtrack.te

+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
+allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;

public/hal_nfc.te

@@ -2,6 +2,9 @@
 binder_call(hal_nfc_client, hal_nfc_server)
 binder_call(hal_nfc_server, hal_nfc_client)
 
+add_hwservice(hal_nfc_server, hal_nfc_hwservice)
+allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+
 # Set NFC properties (used by bcm2079x HAL).
 set_prop(hal_nfc, nfc_prop)
 

public/hal_oemlock.te

 # HwBinder IPC from client to server
 binder_call(hal_oemlock_client, hal_oemlock_server)
+
+add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
+allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;

public/hal_power.te

+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+add_hwservice(hal_power_server, hal_power_hwservice)
+allow hal_power_client hal_power_hwservice:hwservice_manager find;

public/hal_sensors.te

 # HwBinder IPC from client to server
 binder_call(hal_sensors_client, hal_sensors_server)
 
+add_hwservice(hal_sensors_server, hal_sensors_hwservice)
+allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+
 # Allow sensor hals to access ashmem memory allocated by apps
 allow hal_sensors { appdomain -isolated_app }:fd use;
 

public/hal_telephony.te

-# Perform HwBinder IPC.
-binder_call(hal_telephony, radio)
-binder_call(hal_telephony, bluetooth)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+add_hwservice(hal_telephony_server, hal_telephony_hwservice)
+allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+

public/hal_thermal.te

-# call into system_server process (callbacks)
-binder_call(hal_thermal, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+add_hwservice(hal_thermal_server, hal_thermal_hwservice)
+allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;

public/hal_tv_cec.te

 # HwBinder IPC from clients into server, and callbacks
 binder_call(hal_tv_cec_client, hal_tv_cec_server)
 binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
+allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;

public/hal_tv_input.te

 # HwBinder IPC from clients into server, and callbacks
 binder_call(hal_tv_input_client, hal_tv_input_server)
 binder_call(hal_tv_input_server, hal_tv_input_client)
+
+add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
+allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;