From 9c769aff744d434ba09f69b49eec9287b6b4f9f9 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Fri, 8 Jul 2016 13:49:09 +0200
Subject: [PATCH] Allow the NFC process to access hwservicemanager.

Add a macro to make this easier for other processes
as well.

Change-Id: I489d0ce042fe5ef88dc767a6fbdb9b795be91601
(cherry picked from commit c2b9c1561e4bd7ac86d78b44ca7927994e781da0)
---
 nfc.te    |  3 +++
 te_macros | 14 ++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/nfc.te b/nfc.te
index fc7e16708..a4383bb4f 100644
--- a/nfc.te
+++ b/nfc.te
@@ -4,6 +4,9 @@ app_domain(nfc)
 net_domain(nfc)
 binder_service(nfc)
 
+# hwbinder access
+hwbinder_use(nfc)
+
 # Set NFC properties
 set_prop(nfc, nfc_prop)
 
diff --git a/te_macros b/te_macros
index cfb9785f9..7ed051848 100644
--- a/te_macros
+++ b/te_macros
@@ -186,6 +186,20 @@ allow servicemanager $1:process getattr;
 # all domains in domain.te.
 ')
 
+#####################################
+# hwbinder_use(domain)
+# Allow domain to use HwBinder IPC.
+define(`hwbinder_use', `
+# Call the hwservicemanager and transfer references to it.
+allow $1 hwservicemanager:binder { call transfer };
+# hwservicemanager performs getpidcon on clients.
+allow hwservicemanager $1:dir search;
+allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:process getattr;
+# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
 #####################################
 # binder_call(clientdomain, serverdomain)
 # Allow clientdomain to perform binder IPC to serverdomain.
-- 
GitLab