From 8a52c98455f1d01201e816a567a1fdeee79e8731 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Thu, 26 Apr 2018 10:10:43 -0700
Subject: [PATCH] Enforce parent hal attribute hierarchy.
In order to support passthrough + binderized implementations
with a simple switch, there is a hierarchy of attributes for
different hal servers.
/------- hal_X --------\
| ** |
v v
hal_X_client hal_X_server
| |
| |
v v
halclientdomain halserverdomain
** - hal_X -> hal_X_server is only on non-Treble devices. This
is because on these devices, certain HALs are allowed to be
loaded directly into the client process in "passthrough" mode
as was the case in Android before Android O. This is a legacy
compatibility mode. On Treble devices, any client can also be
hal_X just by virtue of a server being able to also be a hal
client.
There is also one exception to this rule. su is not given every
hal_* permission. If it is given all of these permissions on
non-Treble devices, it must be added as an exemption to many
other neverallow rules. As a sideeffect (which existed before
this patch), su is not allowed to talk directly to all hardware
on non-Treble devices as with Treble devices.
Fixes: 34180936
Test: compile only (neverallow rules are resolved at compile time)
Change-Id: I47122daf95acd49cadaf8b7664e56268dac78945
---
public/te_macros | 2 ++
1 file changed, 2 insertions(+)
diff --git a/public/te_macros b/public/te_macros
index 4d5f84bbc..e5c476a35 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,7 +213,9 @@ expandattribute hal_$1_client true;
attribute hal_$1_server;
expandattribute hal_$1_server false;
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
')
#####################################
--
GitLab