From 6fe344e350cadc4e82328e101b66cb81976083d1 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Wed, 25 Jan 2017 12:39:35 -0800
Subject: [PATCH] Remove hal_gatekeeper from gatekeeperd domain

HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

This partially reverts the moving of rules out of gatekeeperd in
commit a9ce208680b3a9c1ddcf9bfce886909b66297964.

Test: Set up PIN-protected secure lock screen, unlock screen, reboot,
      unlock. No SELinux denials in gatekeeperd or hal_gatekeeper*.
Bug: 34715716
Change-Id: If87c865461580ff861e7e228a96d315d319e1765
---
 public/gatekeeperd.te | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index e842cd26c..94fb2b937 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -1,18 +1,26 @@
 type gatekeeperd, domain;
-# normally uses HAL; implements HAL in pass-through mode only
-hal_impl_domain(gatekeeperd, hal_gatekeeper)
 type gatekeeperd_exec, exec_type, file_type;
 
 # gatekeeperd
 binder_service(gatekeeperd)
 binder_use(gatekeeperd)
 
+### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
+### These rules should eventually be granted only when needed.
+allow gatekeeperd tee_device:chr_file rw_file_perms;
+allow gatekeeperd ion_device:chr_file r_file_perms;
+# Load HAL implementation
+allow gatekeeperd system_file:dir r_dir_perms;
+###
+
+### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
+### These rules should eventually be granted only when needed.
+hwbinder_use(gatekeeperd)
+###
+
 # need to find KeyStore and add self
 add_service(gatekeeperd, gatekeeper_service)
 
-# Scan through /system/lib64/hw looking for installed HALs
-allow gatekeeperd system_file:dir r_dir_perms;
-
 # Need to add auth tokens to KeyStore
 use_keystore(gatekeeperd)
 allow gatekeeperd keystore:keystore_key { add_auth };
-- 
GitLab