From 67531bbd1968dc3d5e23306f2438e56fb00205a3 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 28 Jul 2017 10:25:42 -0700
Subject: [PATCH] Assign su as a client to all HAL domains

VTS testing is intended to be run on userdebug builds with:
1. Tests running in the permissive su domain.
2. HALs running in enforcing mode (i.e. setenforce 1).

As such su needs to be a client to every HAL.

Example:
hal_tetheroffload_server has permission to receive and use a
netlink_netfilter_socket from hal_tetheroffload_client (currently
system_server). Before declaring su as hal_tetheroffload_client
VTS tests were failing with the following denials:

avc: denied { setopt } for comm="HwBinder:843_1"
scontext=u:r:hal_tetheroffload_default:s0 tcontext=u:r:su:s0
tclass=netlink_netfilter_socket
avc: denied { read write } for comm="VtsHalTetheroff"
path="socket:[216191]" dev="sockfs" ino=216191
scontext=u:r:hal_tetheroffload_default:s0 tcontext=u:r:su:s0
tclass=netlink_netfilter_socket
avc: denied { getattr } for comm="HwBinder:843_1"
scontext=u:r:hal_tetheroffload_default:s0 tcontext=u:r:su:s0
tclass=netlink_netfilter_socketsu acting as client to hal_tetheroffload_server passes it
a netlink_netfilter_socket, permissions which are already granted to
hal_tetheroffload_client

With su declared as hal_tetheroffload_client tests pass as expected.

Bug: 36792117
Test: build
Change-Id: If2d3978eee0f96e50ad0c0cc6afc0f18b2d264f2
---
 public/su.te | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/public/su.te b/public/su.te
index 8ddd16224..88065f626 100644
--- a/public/su.te
+++ b/public/su.te
@@ -50,4 +50,47 @@ userdebug_or_eng(`
   dontaudit su domain:drmservice *;
   dontaudit su unlabeled:filesystem *;
   dontaudit su postinstall_file:filesystem *;
+
+  # VTS tests run in the permissive su domain on debug builds, but the HALs
+  # being tested run in enforcing mode. Because hal_foo_server is enforcing
+  # su needs to be declared as hal_foo_client to grant hal_foo_server
+  # permission to interact with it.
+  typeattribute su halclientdomain;
+  typeattribute su hal_allocator_client;
+  typeattribute su hal_audio_client;
+  typeattribute su hal_bluetooth_client;
+  typeattribute su hal_bootctl_client;
+  typeattribute su hal_camera_client;
+  typeattribute su hal_configstore_client;
+  typeattribute su hal_contexthub_client;
+  typeattribute su hal_drm_client;
+  typeattribute su hal_cas_client;
+  typeattribute su hal_dumpstate_client;
+  typeattribute su hal_fingerprint_client;
+  typeattribute su hal_gatekeeper_client;
+  typeattribute su hal_gnss_client;
+  typeattribute su hal_graphics_allocator_client;
+  typeattribute su hal_graphics_composer_client;
+  typeattribute su hal_health_client;
+  typeattribute su hal_ir_client;
+  typeattribute su hal_keymaster_client;
+  typeattribute su hal_light_client;
+  typeattribute su hal_memtrack_client;
+  typeattribute su hal_neuralnetworks_client;
+  typeattribute su hal_nfc_client;
+  typeattribute su hal_oemlock_client;
+  typeattribute su hal_power_client;
+  typeattribute su hal_sensors_client;
+  typeattribute su hal_telephony_client;
+  typeattribute su hal_tetheroffload_client;
+  typeattribute su hal_thermal_client;
+  typeattribute su hal_tv_cec_client;
+  typeattribute su hal_tv_input_client;
+  typeattribute su hal_usb_client;
+  typeattribute su hal_vibrator_client;
+  typeattribute su hal_vr_client;
+  typeattribute su hal_weaver_client;
+  typeattribute su hal_wifi_client;
+  typeattribute su hal_wifi_offload_client;
+  typeattribute su hal_wifi_supplicant_client;
 ')
-- 
GitLab