Add charger_type.

This is the common type for domains that executes charger's
functionalities, including setting and getting necessary properties,
permissions to maintain the health loop, writing to kernel log, handling
inputs and drawing screens, etc.

Permissions specific to the system charger is not moved.

Also enforce stricter neverallow rules on charger_{status,config}_prop.

For charger_config_prop, only init / vendor_init can set.
For charger_status_prop, only init / vendor_init / charger / health HAL
  can set.
For both, only init / vendor_init / charger / dumpstate / health HAL
  can get.

(Health HAL is determined by the intersection of charger_type and
hal_health_server.)

A follow up CL will be added to add charger_type to hal_health_default,
the default domain for health HAL servers. Vendors may add charger_type
to their domains that serves the health AIDL HAL as well.

Test: manual
Bug: 203246116
Change-Id: I0e99b6b68d381b7f73306d93ee4f8c5c8abdf026

private/charger.te

@@ -2,16 +2,13 @@ typeattribute charger coredomain;
 
 # charger needs to tell init to continue the boot
 # process when running in charger mode.
+# The system charger needs to be allowed to set these properties on legacy devices.
 set_prop(charger, system_prop)
 set_prop(charger, exported_system_prop)
 set_prop(charger, exported3_system_prop)
-set_prop(charger, charger_status_prop)
 
+# The system charger can read ro.charger.*
 get_prop(charger, charger_prop)
-get_prop(charger, charger_config_prop)
-
-# get minui properties
-get_prop(charger, recovery_config_prop)
 
 compatible_property_only(`
     neverallow {
@@ -21,11 +18,3 @@ compatible_property_only(`
         -charger
     } charger_prop:file no_rw_file_perms;
 ')
-
-neverallow {
-    domain
-    -init
-    -dumpstate
-    -vendor_init
-    -charger
-} { charger_config_prop charger_status_prop }:file no_rw_file_perms;

private/charger_type.te

@@ -0,0 +1,38 @@
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger_type, charger_status_prop)
+get_prop(charger_type, charger_config_prop)
+
+# get minui properties
+get_prop(charger_type, recovery_config_prop)
+
+### Neverallow rules for charger properties
+
+# charger_config_prop: Only init and vendor_init is allowed to set it
+neverallow {
+    domain
+    -init
+    -vendor_init
+} charger_config_prop:property_service set;
+
+# charger_status_prop: Only init, vendor_init, charger, and hal_health_server
+# are allowed to set it
+neverallow {
+    domain
+    -init
+    -vendor_init
+    -charger
+    -hal_health_server
+} charger_status_prop:property_service set;
+
+# Both charger_config_prop and charger_status_prop:
+# Only init, vendor_init, dumpstate, charger, and hal_health_server
+# are allowed to read it
+neverallow {
+    domain
+    -init
+    -dumpstate
+    -vendor_init
+    -charger
+    -hal_health_server
+} { charger_config_prop charger_status_prop }:file no_rw_file_perms;

public/attributes

@@ -412,3 +412,10 @@ attribute gsi_metadata_file_type;
 # Types used for module-specific APEX data directories under
 # /data/{misc,misc_ce,misc_de}/apexdata.
 attribute apex_data_file_type;
+
+# Domains used for charger.
+# This is the common type for domains that executes charger's
+# functionalities, including setting and getting necessary properties,
+# permissions to maintain the health loop, writing to kernel log, handling
+# inputs and drawing screens, etc.
+attribute charger_type;

public/charger.te

@@ -1,40 +1,5 @@
-type charger, domain;
+type charger, charger_type, domain;
 type charger_exec, system_file_type, exec_type, file_type;
 
-# Write to /dev/kmsg
-allow charger kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger, rootfs)
-r_dir_file(charger, cgroup)
-r_dir_file(charger, cgroup_v2)
-
-# Allow to read /sys/class/power_supply directory
-allow charger sysfs_type:dir r_dir_perms;
-
-allow charger self:global_capability_class_set { sys_tty_config };
-allow charger self:global_capability_class_set sys_boot;
-
-wakelock_use(charger)
-
-allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Read/write to /sys/power/state
-allow charger sysfs_power:file rw_file_perms;
-
-r_dir_file(charger, sysfs_batteryinfo)
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger pstorefs:dir r_dir_perms;
-allow charger pstorefs:file r_file_perms;
-
-allow charger graphics_device:dir r_dir_perms;
-allow charger graphics_device:chr_file rw_file_perms;
-allow charger input_device:dir r_dir_perms;
-allow charger input_device:chr_file r_file_perms;
-allow charger tty_device:chr_file rw_file_perms;
-allow charger proc_sysrq:file rw_file_perms;
-
+# The system charger is a client of HIDL health HAL.
 hal_client_domain(charger, hal_health)

public/charger_type.te

@@ -0,0 +1,37 @@
+# Write to /dev/kmsg
+allow charger_type kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger_type, rootfs)
+r_dir_file(charger_type, cgroup)
+r_dir_file(charger_type, cgroup_v2)
+
+# Allow to read /sys/class/power_supply directory
+allow charger_type sysfs_type:dir r_dir_perms;
+
+allow charger_type self:global_capability_class_set {
+    sys_boot
+    sys_tty_config
+};
+
+wakelock_use(charger_type)
+
+allow charger_type self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Read/write to /sys/power/state
+allow charger_type sysfs_power:file rw_file_perms;
+
+r_dir_file(charger_type, sysfs_batteryinfo)
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger_type pstorefs:dir r_dir_perms;
+allow charger_type pstorefs:file r_file_perms;
+
+allow charger_type graphics_device:dir r_dir_perms;
+allow charger_type graphics_device:chr_file rw_file_perms;
+allow charger_type input_device:dir r_dir_perms;
+allow charger_type input_device:chr_file r_file_perms;
+allow charger_type tty_device:chr_file rw_file_perms;
+allow charger_type proc_sysrq:file rw_file_perms;