Create selinux policy for remoteaccess HAL.

Will add fuzzer once the service is implemented. Test: Run remoteaccess HAL on gcar_emu. Verify the service is running. Bug: 241483300 Change-Id: I01b31a88414536ddd90f9098f422ae43a48cf726
2022-09-13 17:06:55 -07:00 · 2022-09-13 17:06:55 -07:00 · 05a7389aa9
commit 05a7389aa9
parent 0ecf99def5
8 changed files with 19 additions and 1 deletions
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@ -23,6 +23,7 @@ var (
 		"android.hardware.automotive.evs.IEvsEnumerator/hw/0":                     []string{},
 		"android.hardware.boot.IBootControl/default":                              []string{},
 		"android.hardware.automotive.evs.IEvsEnumerator/hw/1":                     []string{},
 		"android.hardware.automotive.remoteaccess.IRemoteAccess/default":          []string{},
 		"android.hardware.automotive.vehicle.IVehicle/default":                    []string{},
 		"android.hardware.automotive.audiocontrol.IAudioControl/default":          []string{},
 		"android.hardware.biometrics.face.IFace/default":                          []string{},
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -10,6 +10,7 @@
    device_config_memory_safety_native_prop
    device_config_vendor_system_native_prop
    hal_bootctl_service
    hal_remoteaccess_service
    hal_tv_input_service
    keystore_config_prop
    permissive_mte_prop
--- a/private/service_contexts
+++ b/private/service_contexts
@ -5,8 +5,9 @@ android.hardware.authsecret.IAuthSecret/default                      u:object_r:
 android.hardware.automotive.evs.IEvsEnumerator/hw/0                  u:object_r:hal_evs_service:s0
 android.hardware.boot.IBootControl/default                           u:object_r:hal_bootctl_service:s0
 android.hardware.automotive.evs.IEvsEnumerator/hw/1                  u:object_r:hal_evs_service:s0
 android.hardware.automotive.vehicle.IVehicle/default                 u:object_r:hal_vehicle_service:s0
 android.hardware.automotive.audiocontrol.IAudioControl/default       u:object_r:hal_audiocontrol_service:s0
 android.hardware.automotive.remoteaccess.IRemoteAccess/default       u:object_r:hal_remoteaccess_service:s0
 android.hardware.automotive.vehicle.IVehicle/default                 u:object_r:hal_vehicle_service:s0
 android.hardware.biometrics.face.IFace/default                       u:object_r:hal_face_service:s0
 android.hardware.biometrics.fingerprint.IFingerprint/default         u:object_r:hal_fingerprint_service:s0
 android.hardware.biometrics.fingerprint.IFingerprint/virtual         u:object_r:hal_fingerprint_service:s0
--- a/public/attributes
+++ b/public/attributes
@ -362,6 +362,7 @@ hal_attribute(omx);
 hal_attribute(power);
 hal_attribute(power_stats);
 hal_attribute(rebootescrow);
 hal_attribute(remoteaccess);
 hal_attribute(secure_element);
 hal_attribute(sensors);
 hal_attribute(telephony);
--- a/public/hal_remoteaccess.te
+++ b/public/hal_remoteaccess.te
@ -0,0 +1,6 @@
 # HwBinder IPC from client to server, and callbacks
 binder_call(hal_remoteaccess_client, hal_remoteaccess_server)
 binder_call(hal_remoteaccess_server, hal_remoteaccess_client)
 hal_attribute_service(hal_remoteaccess, hal_remoteaccess_service)
--- a/public/service.te
+++ b/public/service.te
@ -294,6 +294,7 @@ type hal_power_service, protected_service, hal_service_type, service_manager_typ
 type hal_power_stats_service, protected_service, hal_service_type, service_manager_type;
 type hal_radio_service, protected_service, hal_service_type, service_manager_type;
 type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
 type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
 type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
 type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
 type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -13,6 +13,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)?          u:object_r:hal_evs_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service)  u:object_r:hal_vehicle_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-default-service u:object_r:hal_remoteaccess_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
--- a/vendor/hal_remoteaccess_default.te
+++ b/vendor/hal_remoteaccess_default.te
@ -0,0 +1,6 @@
 type hal_remoteaccess_default, domain;
 hal_server_domain(hal_remoteaccess_default, hal_remoteaccess)
 # may be started by init
 type hal_remoteaccess_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_remoteaccess_default)