Use _client and _server for Audio HAL policy

This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
  hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
  associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
  against the hal_foo attribute. This policy is granted to domains
  which offer the Foo HAL service over HwBinder and, if Foo HAL runs
  in the so-called passthrough mode (inside the process of each
  client), also granted to all domains which are clients of Foo HAL.
  hal_foo is there to avoid duplicating the rules for hal_foo_client
  and hal_foo_server to cover the passthrough/in-process Foo HAL and
  binderized/out-of-process Foo HAL cases.

A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.

This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20

private/audioserver.te

@@ -10,12 +10,8 @@ binder_call(audioserver, binderservicedomain)
 binder_call(audioserver, appdomain)
 binder_service(audioserver)
 
-hwbinder_use(audioserver)
-binder_call(audioserver, hal_audio)
-hwallocator_use(audioserver)
+hal_client_domain(audioserver, hal_audio)
 
-r_dir_file(audioserver, proc)
-allow audioserver ion_device:chr_file r_file_perms;
 allow audioserver system_file:dir r_dir_perms;
 
 userdebug_or_eng(`
@@ -28,9 +24,6 @@ userdebug_or_eng(`
   allow audioserver self:process ptrace;
 ')
 
-allow audioserver audio_device:dir r_dir_perms;
-allow audioserver audio_device:chr_file rw_file_perms;
-
 add_service(audioserver, audioserver_service)
 allow audioserver appops_service:service_manager find;
 allow audioserver batterystats_service:service_manager find;
@@ -42,10 +35,6 @@ allow audioserver scheduling_policy_service:service_manager find;
 allow audioserver audio_data_file:dir ra_dir_perms;
 allow audioserver audio_data_file:file create_file_perms;
 
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
 ###
 ### neverallow rules
 ###

private/halclientdomain.te

+###
+### Rules for all domains which are clients of a HAL
+###
+
+# Find out whether a HAL in passthrough/in-process mode or
+# binderized/out-of-process mode
+hwbinder_use(halclientdomain)

private/haldomain.te

-###
-### Rules for all HAL implementations
-###
-
-hwbinder_use(haldomain)
-
-# find passthrough hals
-allow haldomain system_file:dir r_dir_perms;

private/halserverdomain.te

+###
+### Rules for all domains which offer a HAL service over HwBinder
+###
+
+# Register the HAL service with hwservicemanager
+hwbinder_use(halserverdomain)
+
+# Find HAL implementations
+allow halserverdomain system_file:dir r_dir_perms;

public/attributes

@@ -117,11 +117,15 @@ attribute boot_control_hal;
 # recovery for A/B devices.
 attribute update_engine_common;
 
-# All domains used for HAL implementations
-attribute haldomain;
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
 
 # HALs
 attribute hal_audio;
+attribute hal_audio_client;
+attribute hal_audio_server;
 attribute hal_bluetooth;
 attribute hal_camera;
 attribute hal_configstore;

public/hal_audio.te

-binder_use(hal_audio)
-binder_call(hal_audio, audioserver)
-binder_call(hal_audio, system_server)
-hwallocator_use(hal_audio)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
+
+# Both client and the server need to use hwallocator
+hwallocator_use(hal_audio_client)
+hwallocator_use(hal_audio_server)
 
 allow hal_audio ion_device:chr_file r_file_perms;
 
@@ -17,8 +20,6 @@ r_dir_file(hal_audio, proc)
 allow hal_audio audio_device:dir r_dir_perms;
 allow hal_audio audio_device:chr_file rw_file_perms;
 
-allow hal_audio scheduling_policy_service:service_manager find;
-
 # Needed on some devices for playing audio on paired BT device,
 # but seems appropriate for all devices.
 unix_socket_connect(hal_audio, bluetooth, bluetooth)
@@ -27,10 +28,9 @@ unix_socket_connect(hal_audio, bluetooth, bluetooth)
 ### neverallow rules
 ###
 
-# hal_audio should never execute any executable without
-# a domain transition
+# Should never execute any executable without a domain transition
 neverallow hal_audio { file_type fs_type }:file execute_no_trans;
 
-# hal_audio should never need network access.
+# Should never need network access.
 # Disallow network sockets.
 neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;

public/te_macros

@@ -148,6 +148,7 @@ define(`bluetooth_domain', `
 typeattribute $1 bluetoothdomain;
 ')
 
+# TODO: Remove hal_impl_domain once all uses have been switched to hal_server_domain.
 #####################################
 # hal_impl_domain(domain[, hal_type_attr])
 # Allow a base set of permissions required for a domain to host a
@@ -163,10 +164,46 @@ typeattribute $1 bluetoothdomain;
 #   hal_impl_domain(hal_foo_default, hal_foo)
 #
 define(`hal_impl_domain', `
-typeattribute $1 haldomain;
+print(`deprecated: hal_impl_domain($1, $2) Please use hal_server_domain($1, $2) instead.');
+typeattribute $1 halserverdomain;
 ifelse($2, `', `', `typeattribute $1 $2;')
 ')
 
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+#   type hal_foo_default, domain;
+#   hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+#   hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional,
+# once we know at build time whether a HAL is going to run in
+# passthrough or binderized mode.
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+')
+
 #####################################
 # unix_socket_connect(clientdomain, socket, serverdomain)
 # Allow a local socket connection from clientdomain via

vendor/hal_audio_default.te

 type hal_audio_default, domain;
-hal_impl_domain(hal_audio_default, hal_audio)
+hal_server_domain(hal_audio_default, hal_audio)
 
 type hal_audio_default_exec, exec_type, file_type;
 init_daemon_domain(hal_audio_default)