Add sepolicy for IBootControl AIDL

Test: th Bug: 227536004 Change-Id: I1206b4aae1aab904a76836c893ee583b5ce54624
2022-03-30 20:05:23 -07:00 · 2022-03-30 20:05:23 -07:00 · 187cb2c64c
commit 187cb2c64c
parent c53f08e3b3
6 changed files with 9 additions and 0 deletions
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -6,6 +6,7 @@
 (typeattributeset new_objects
  ( new_objects
    device_config_vendor_system_native_prop
+    hal_bootctl_service
    virtual_face_hal_prop
    virtual_fingerprint_hal_prop
  ))
--- a/private/service_contexts
+++ b/private/service_contexts
@ -2,6 +2,7 @@ android.hardware.audio.core.IConfig/default                          u:object_r:
 android.hardware.audio.core.IModule/default                          u:object_r:hal_audio_service:s0
 android.hardware.authsecret.IAuthSecret/default                      u:object_r:hal_authsecret_service:s0
 android.hardware.automotive.evs.IEvsEnumerator/hw/0                  u:object_r:hal_evs_service:s0
+android.hardware.boot.IBootControl/default                           u:object_r:hal_bootctl_service:s0
 android.hardware.automotive.evs.IEvsEnumerator/hw/1                  u:object_r:hal_evs_service:s0
 android.hardware.automotive.vehicle.IVehicle/default                 u:object_r:hal_vehicle_service:s0
 android.hardware.automotive.audiocontrol.IAudioControl/default       u:object_r:hal_audiocontrol_service:s0
--- a/private/update_engine.te
+++ b/private/update_engine.te
@ -30,3 +30,7 @@ get_prop(update_engine, snapuserd_prop)
 # capex decompression
 allow update_engine apex_service:service_manager find;
 binder_call(update_engine, apexd)
+
+# let this domain use the hal service
+binder_use(update_engine)
+hal_client_domain(update_engine, hal_bootctl)
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@ -1,6 +1,7 @@
 # HwBinder IPC from client to server, and callbacks
 binder_call(hal_bootctl_client, hal_bootctl_server)
 binder_call(hal_bootctl_server, hal_bootctl_client)
+binder_use(hal_bootctl_server)

 hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
 allow hal_bootctl_server proc_bootconfig:file r_file_perms;
--- a/public/service.te
+++ b/public/service.te
@ -269,6 +269,7 @@ type emergency_affordance_service, system_server_service, service_manager_type;
 type hal_audio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
 type hal_audiocontrol_service, vendor_service, hal_service_type, service_manager_type;
 type hal_authsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_bootctl_service, vendor_service, protected_service, hal_service_type, service_manager_type;
 type hal_camera_service, vendor_service, protected_service, hal_service_type, service_manager_type;
 type hal_contexthub_service, vendor_service, protected_service, hal_service_type, service_manager_type;
 type hal_dice_service, vendor_service, protected_service, hal_service_type, service_manager_type;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -20,6 +20,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service      u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default      u:object_r:hal_bootctl_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64       u:object_r:hal_camera_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service          u:object_r:hal_camera_default_exec:s0