From 9147a23835828561253e89bb32f8cdcff4d20f96 Mon Sep 17 00:00:00 2001
From: Glen Kuhne <kuh@google.com>
Date: Thu, 15 Dec 2016 10:46:22 -0800
Subject: [PATCH] hwbinder_use: allow for hwservicemanager callbacks.

In order for hal clients to use IServiceManager::registerForNotifications,
the hwservicemanager needs to be able to call into client processes.

Test: WIP
Bug: 33383725
Change-Id: I59470e9cd5cbeafda010fedc0b91eeb41280e0a1
---
 public/hwservicemanager.te | 11 +++++------
 public/te_macros           |  2 ++
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index f179599b2..20a722931 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -3,13 +3,12 @@ type hwservicemanager, domain, mlstrustedsubject;
 type hwservicemanager_exec, exec_type, file_type;
 
 # Note that we do not use the binder_* macros here.
-# hwservicemanager only provides name service (aka context manager)
-# for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains.  It never passes its own references
-# or initiates a Binder IPC.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
 allow hwservicemanager self:binder set_context_mgr;
-allow hwservicemanager { domain -init }:binder transfer;
 
 set_prop(hwservicemanager, hwservicemanager_prop)
 
diff --git a/public/te_macros b/public/te_macros
index 6a1a5ffe3..094642c0c 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -192,6 +192,8 @@ allow servicemanager $1:process getattr;
 define(`hwbinder_use', `
 # Call the hwservicemanager and transfer references to it.
 allow $1 hwservicemanager:binder { call transfer };
+# Allow hwservicemanager to send out callbacks
+allow hwservicemanager $1:binder { call transfer };
 # hwservicemanager performs getpidcon on clients.
 allow hwservicemanager $1:dir search;
 allow hwservicemanager $1:file { read open };
-- 
GitLab