Merge "Switch Boot Control HAL policy to _client/_server"
This commit is contained in:
commit
51a2238c9e
12 changed files with 21 additions and 37 deletions
|
@ -174,7 +174,6 @@ binder_service(system_server)
|
||||||
# Perform HwBinder IPC.
|
# Perform HwBinder IPC.
|
||||||
hwbinder_use(system_server)
|
hwbinder_use(system_server)
|
||||||
hwallocator_use(system_server)
|
hwallocator_use(system_server)
|
||||||
binder_call(system_server, hal_boot)
|
|
||||||
binder_call(system_server, hal_contexthub)
|
binder_call(system_server, hal_contexthub)
|
||||||
hal_client_domain(system_server, hal_contexthub)
|
hal_client_domain(system_server, hal_contexthub)
|
||||||
hal_client_domain(system_server, hal_fingerprint)
|
hal_client_domain(system_server, hal_fingerprint)
|
||||||
|
|
|
@ -110,11 +110,6 @@ attribute bluetoothdomain;
|
||||||
# All domains used for binder service domains.
|
# All domains used for binder service domains.
|
||||||
attribute binderservicedomain;
|
attribute binderservicedomain;
|
||||||
|
|
||||||
# All domains that access the boot_control HAL. The permissions the HAL
|
|
||||||
# requires are specific to the implementation provided in each device, but
|
|
||||||
# common daemons need to be aware of those when calling into the HAL.
|
|
||||||
attribute boot_control_hal;
|
|
||||||
|
|
||||||
# update_engine related domains that need to apply an update and run
|
# update_engine related domains that need to apply an update and run
|
||||||
# postinstall. This includes the background daemon and the sideload tool from
|
# postinstall. This includes the background daemon and the sideload tool from
|
||||||
# recovery for A/B devices.
|
# recovery for A/B devices.
|
||||||
|
@ -132,6 +127,9 @@ attribute hal_audio_server;
|
||||||
attribute hal_bluetooth;
|
attribute hal_bluetooth;
|
||||||
attribute hal_bluetooth_client;
|
attribute hal_bluetooth_client;
|
||||||
attribute hal_bluetooth_server;
|
attribute hal_bluetooth_server;
|
||||||
|
attribute hal_bootctl;
|
||||||
|
attribute hal_bootctl_client;
|
||||||
|
attribute hal_bootctl_server;
|
||||||
attribute hal_camera;
|
attribute hal_camera;
|
||||||
attribute hal_camera_client;
|
attribute hal_camera_client;
|
||||||
attribute hal_camera_server;
|
attribute hal_camera_server;
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
# Allow read/write bootctrl block device, if one is defined.
|
|
||||||
allow boot_control_hal bootctrl_block_device:blk_file rw_file_perms;
|
|
|
@ -99,6 +99,3 @@ type metadata_block_device, dev_type;
|
||||||
|
|
||||||
# The 'misc' partition used by recovery and A/B.
|
# The 'misc' partition used by recovery and A/B.
|
||||||
type misc_block_device, dev_type;
|
type misc_block_device, dev_type;
|
||||||
|
|
||||||
# Bootctrl block device used by A/B update (update_engine, update_verifier).
|
|
||||||
type bootctrl_block_device, dev_type;
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
# boot_control subsystem
|
|
||||||
type hal_boot, domain, boot_control_hal;
|
|
||||||
|
|
||||||
# call into system_server process (callbacks)
|
|
||||||
binder_call(hal_boot, system_server)
|
|
3
public/hal_bootctl.te
Normal file
3
public/hal_bootctl.te
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
# HwBinder IPC from client to server, and callbacks
|
||||||
|
binder_call(hal_bootctl_client, hal_bootctl_server)
|
||||||
|
binder_call(hal_bootctl_server, hal_bootctl_client)
|
|
@ -8,7 +8,8 @@ type recovery, domain, domain_deprecated;
|
||||||
# Otherwise recovery is only allowed the domain rules.
|
# Otherwise recovery is only allowed the domain rules.
|
||||||
recovery_only(`
|
recovery_only(`
|
||||||
# Allow recovery to perform an update as update_engine would do.
|
# Allow recovery to perform an update as update_engine would do.
|
||||||
typeattribute recovery update_engine_common, boot_control_hal;
|
typeattribute recovery update_engine_common;
|
||||||
|
hal_client_domain(recovery, hal_bootctl)
|
||||||
|
|
||||||
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
|
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
# Domain for update_engine daemon.
|
# Domain for update_engine daemon.
|
||||||
# update_engine uses the boot_control_hal.
|
type update_engine, domain, domain_deprecated, update_engine_common;
|
||||||
type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
|
|
||||||
type update_engine_exec, exec_type, file_type;
|
type update_engine_exec, exec_type, file_type;
|
||||||
type update_engine_data_file, file_type, data_file_type;
|
type update_engine_data_file, file_type, data_file_type;
|
||||||
|
|
||||||
|
@ -39,6 +38,5 @@ binder_call(update_engine, priv_app)
|
||||||
allow update_engine ota_package_file:file r_file_perms;
|
allow update_engine ota_package_file:file r_file_perms;
|
||||||
allow update_engine ota_package_file:dir r_dir_perms;
|
allow update_engine ota_package_file:dir r_dir_perms;
|
||||||
|
|
||||||
# Use binderized HAL
|
# Use Boot Control HAL
|
||||||
hwbinder_use(update_engine)
|
hal_client_domain(update_engine, hal_bootctl)
|
||||||
binder_call(update_engine, hal_boot)
|
|
||||||
|
|
|
@ -1,11 +1,7 @@
|
||||||
# update_verifier
|
# update_verifier
|
||||||
# update_verifier uses the boot_control_hal.
|
type update_verifier, domain;
|
||||||
type update_verifier, domain, boot_control_hal;
|
|
||||||
type update_verifier_exec, exec_type, file_type;
|
type update_verifier_exec, exec_type, file_type;
|
||||||
|
|
||||||
# find the boot_control_hal
|
|
||||||
allow update_verifier system_file:dir r_dir_perms;
|
|
||||||
|
|
||||||
# Allow update_verifier to reach block devices in /dev/block.
|
# Allow update_verifier to reach block devices in /dev/block.
|
||||||
allow update_verifier block_device:dir search;
|
allow update_verifier block_device:dir search;
|
||||||
|
|
||||||
|
@ -16,6 +12,5 @@ allow update_verifier ota_package_file:file r_file_perms;
|
||||||
# Read all blocks in dm wrapped system partition.
|
# Read all blocks in dm wrapped system partition.
|
||||||
allow update_verifier dm_device:blk_file r_file_perms;
|
allow update_verifier dm_device:blk_file r_file_perms;
|
||||||
|
|
||||||
# Use binderized HAL
|
# Use Boot Control HAL
|
||||||
hwbinder_use(update_verifier)
|
hal_client_domain(update_verifier, hal_bootctl)
|
||||||
binder_call(update_verifier, hal_boot)
|
|
||||||
|
|
2
vendor/file_contexts
vendored
2
vendor/file_contexts
vendored
|
@ -4,7 +4,7 @@
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
|
||||||
|
|
6
vendor/hal_boot.te
vendored
6
vendor/hal_boot.te
vendored
|
@ -1,6 +0,0 @@
|
||||||
# boot_control subsystem
|
|
||||||
|
|
||||||
hal_impl_domain(hal_boot)
|
|
||||||
|
|
||||||
type hal_boot_exec, exec_type, file_type;
|
|
||||||
init_daemon_domain(hal_boot)
|
|
6
vendor/hal_bootctl_default.te
vendored
Normal file
6
vendor/hal_bootctl_default.te
vendored
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
# Boot control subsystem
|
||||||
|
type hal_bootctl_default, domain;
|
||||||
|
hal_server_domain(hal_bootctl_default, hal_bootctl)
|
||||||
|
|
||||||
|
type hal_bootctl_default_exec, exec_type, file_type;
|
||||||
|
init_daemon_domain(hal_bootctl_default)
|
Loading…
Reference in a new issue