Merge "Mark all clients of Allocator HAL"

73a6f38b · Alex Klyubin · Gerrit Code Review · 6b558dcb · 7cda44f4 · 73a6f38b
Commit 73a6f38b authored 8 years ago by Alex Klyubin Committed by Gerrit Code Review 8 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -124,6 +124,11 @@ sepolicy_build_files := security_classes \
                        genfs_contexts \
                        port_contexts
+# CIL files which contain workarounds for current limitation of human-readable
+# module policy language. These files are appended to the CIL files produced
+# from module language files.
+sepolicy_build_cil_workaround_files := technical_debt.cil
 my_target_arch := $(TARGET_ARCH)
 ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
  my_target_arch := mips
@@ -250,9 +255,13 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 plat_policy_nvr := $(intermediates)/plat_policy_nvr.cil
-$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(plat_policy_nvr): PRIVATE_ADDITIONAL_CIL_FILES := \
+  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
+	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
 $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr)
 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(plat_policy_nvr)
@@ -1114,6 +1123,7 @@ plat_policy_nvr :=
 plat_pub_policy.cil :=
 reqd_policy_mask.cil :=
 sepolicy_build_files :=
+sepolicy_build_cil_workaround_files :=
 with_asan :=
 include $(call all-makefiles-under,$(LOCAL_PATH))
--- a/private/app.te
+++ b/private/app.te
@@ -155,7 +155,6 @@ binder_call(appdomain, ephemeral_app)
 # hidl access for mediacodec
 # TODO(b/34454312): only allow getting and talking to mediacodec service
 hwbinder_use(appdomain)
-hwallocator_use(appdomain)
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how

--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -12,10 +12,9 @@ binder_call(audioserver, binderservicedomain)
 binder_call(audioserver, appdomain)
 binder_service(audioserver)
+hal_client_domain(audioserver, hal_allocator)
 hal_client_domain(audioserver, hal_audio)
-allow audioserver system_file:dir r_dir_perms;
 userdebug_or_eng(`
  # used for TEE sink - pcm capture for debug.
  allow audioserver media_data_file:dir create_dir_perms;

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -168,7 +168,7 @@ binder_service(system_server)
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
-hwallocator_use(system_server)
+hal_client_domain(system_server, hal_allocator)
 binder_call(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)

--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
+; THIS IS A WORKAROUND for the current limitations of the module policy language
+; This should be used sparingly until we figure out a saner way to achieve the
+; stuff below, for example, by improving typeattribute statement of module
+; language.
+;
+; NOTE: This file has no effect on recovery policy.
+; Apps, except isolated apps, are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { appdomain -isolated_app } hal_allocator_client;
+;     typeattribute hal_allocator_client halclientdomain;
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset halclientdomain (hal_allocator_client))
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
+# HwBinder IPC from client to server
+binder_call(hal_allocator_client, hal_allocator_server)
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -2,14 +2,8 @@
 binder_call(hal_audio_client, hal_audio_server)
 binder_call(hal_audio_server, hal_audio_client)
-# Both client and the server need to use hwallocator
-hwallocator_use(hal_audio_client)
-hwallocator_use(hal_audio_server)
 allow hal_audio ion_device:chr_file r_file_perms;
-allow hal_audio system_file:dir { open read };
 userdebug_or_eng(`
  # used for pcm capture for debug.
  allow hal_audio audiohal_data_file:dir create_dir_perms;

--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -25,10 +25,7 @@ allow mediacodec hal_camera:fd use;
 crash_dump_fallback(mediacodec)
-# hidl access
+hal_client_domain(mediacodec, hal_allocator)
-hwbinder_use(mediacodec)
-hwallocator_use(mediacodec)
-allow mediacodec system_file:dir { open read };
 # Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
 # directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge

--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -136,9 +136,7 @@ allow mediaserver hal_camera:fd use;
 allow mediaserver system_server:fd use;
-# hidl access
+hal_client_domain(mediaserver, hal_allocator)
-hwbinder_use(mediaserver)
-hwallocator_use(mediaserver)
 ###
 ### neverallow rules

--- a/public/te_macros
+++ b/public/te_macros
@@ -327,14 +327,6 @@ define(`binder_service', `
 typeattribute $1 binderservicedomain;
 ')
-#####################################
-# hwallocator_use(domain)
-# Allow a domain to use Hidl shared memory
-define(`hwallocator_use', `
-# Call into the allocator hal
-binder_call($1, hal_allocator_server);
-')
 #####################################
 # wakelock_use(domain)
 # Allow domain to manage wake locks

--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -3,3 +3,5 @@ hal_server_domain(hal_audio_default, hal_audio)
 type hal_audio_default_exec, exec_type, file_type;
 init_daemon_domain(hal_audio_default)
+hal_client_domain(hal_audio_default, hal_allocator)