Restrict access to hwservicemanager

This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31

private/app.te

@@ -69,6 +69,9 @@ allow appdomain appdomain:fifo_file rw_file_perms;
 # Communicate with surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
+# Query whether a Surface supports wide color
+allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
 # App sandbox file accesses.
 allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
 allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
@@ -174,9 +177,11 @@ binder_call(appdomain, appdomain)
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
 
-# hidl access for mediacodec
-# TODO(b/34454312): only allow getting and talking to mediacodec service
-hwbinder_use(appdomain)
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain  -isolated_app })
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
 
 # Talk with graphics composer fences
 allow appdomain hal_graphics_composer:fd use;
@@ -277,6 +282,9 @@ binder_call({ appdomain -isolated_app }, mediacodec)
 # Allow app to access shared memory created by camera HAL1
 allow { appdomain -isolated_app } hal_camera:fd use;
 
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
 # TODO: switch to meminfo service
 allow appdomain proc_meminfo:file r_file_perms;
 

private/bluetooth.te

@@ -58,7 +58,6 @@ allow bluetooth system_api_service:service_manager find;
 allow bluetooth shell_data_file:file read;
 
 hal_client_domain(bluetooth, hal_bluetooth)
-binder_call(bluetooth, hal_telephony)
 hal_client_domain(bluetooth, hal_telephony)
 
 read_runtime_log_tags(bluetooth)

private/halclientdomain.te

@@ -8,3 +8,6 @@ hwbinder_use(halclientdomain)
 
 # Used to wait for hwservicemanager
 get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;

private/hwservice_contexts

@@ -1,2 +1,48 @@
-android.hardware.camera.provider::ICameraProvider             u:object_r:hw_camera_provider_ICameraProvider:s0
-*                                    u:object_r:default_android_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService   u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager                u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory                  u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory                         u:object_r:hal_audio_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci                       u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.boot::IBootControl                             u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory         u:object_r:hal_audio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider               u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs            u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.contexthub::IContexthub                        u:object_r:hal_contexthub_hwservice:s0
+android.hardware.drm::ICryptoFactory                            u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory                               u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice                    u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper                        u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss                                    u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator                 u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer                   u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper                       u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth                                u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr                                u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice                    u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight                                  u:object_r:hal_light_hwservice:s0
+android.hardware.media.omx::IOmx                                u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack                            u:object_r:hal_memtrack_hwservice:s0
+android.hardware.nfc::INfc                                      u:object_r:hal_nfc_hwservice:s0
+android.hardware.power::IPower                                  u:object_r:hal_power_hwservice:s0
+android.hardware.radio.deprecated::IOemHook                     u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio                                  u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap                                    u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice                          u:object_r:hal_renderscript_hwservice:s0
+android.hardware.sensors::ISensors                              u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw                  u:object_r:hal_audio_hwservice:s0
+android.hardware.thermal::IThermal                              u:object_r:hal_thermal_hwservice:s0
+android.hardware.tv.cec::IHdmiCec                               u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput                             u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb                                      u:object_r:hal_usb_hwservice:s0
+android.hardware.vibrator::IVibrator                            u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr                                        u:object_r:hal_vr_hwservice:s0
+android.hardware.wifi::IWifi                                    u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant                   u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator                              u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase                                        u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager                           u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper                                    u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager                               u:object_r:hidl_token_hwservice:s0
+android.system.wifi.keystore::IKeystore                         u:object_r:system_wifi_keystore_hwservice:s0
+*                                                               u:object_r:default_android_hwservice:s0

private/hwservicemanager.te

@@ -1,3 +1,6 @@
 typeattribute hwservicemanager coredomain;
 
 init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)

private/keystore.te

@@ -1,3 +1,10 @@
 typeattribute keystore coredomain;
 
 init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)

private/mediaserver.te

@@ -4,3 +4,7 @@ init_daemon_domain(mediaserver)
 
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_omx_hwservice:hwservice_manager find;

private/surfaceflinger.te

@@ -10,11 +10,11 @@ typeattribute surfaceflinger mlstrustedsubject;
 read_runtime_log_tags(surfaceflinger)
 
 # Perform HwBinder IPC.
-hwbinder_use(surfaceflinger)
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
-binder_call(surfaceflinger, hal_graphics_composer)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 hal_client_domain(surfaceflinger, hal_configstore)
+allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
 
 # Perform Binder IPC.
 binder_use(surfaceflinger)

private/system_server.te

@@ -167,36 +167,26 @@ binder_call(system_server, netd)
 binder_call(system_server, wificond)
 binder_service(system_server)
 
-# Perform HwBinder IPC.
-hwbinder_use(system_server)
+# Use HALs
 hal_client_domain(system_server, hal_allocator)
-binder_call(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)
-binder_call(system_server, hal_gnss)
 hal_client_domain(system_server, hal_gnss)
 hal_client_domain(system_server, hal_graphics_allocator)
-binder_call(system_server, hal_ir)
 hal_client_domain(system_server, hal_ir)
-binder_call(system_server, hal_light)
 hal_client_domain(system_server, hal_light)
-binder_call(system_server, hal_memtrack)
 hal_client_domain(system_server, hal_memtrack)
-binder_call(system_server, hal_power)
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
 hal_client_domain(system_server, hal_power)
 hal_client_domain(system_server, hal_sensors)
-binder_call(system_server, hal_thermal)
 hal_client_domain(system_server, hal_thermal)
 hal_client_domain(system_server, hal_tv_cec)
 hal_client_domain(system_server, hal_tv_input)
-binder_call(system_server, hal_usb)
 hal_client_domain(system_server, hal_usb)
-binder_call(system_server, hal_vibrator)
 hal_client_domain(system_server, hal_vibrator)
-binder_call(system_server, hal_vr)
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_wifi)
-
 hal_client_domain(system_server, hal_wifi_supplicant)
 
 binder_call(system_server, mediacodec)
@@ -204,6 +194,13 @@ binder_call(system_server, mediacodec)
 # Talk with graphics composer fences
 allow system_server hal_graphics_composer:fd use;
 
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
 # Talk to tombstoned to get ANR traces.
 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
 
@@ -634,9 +631,6 @@ r_dir_file(system_server, proc_net)
 r_dir_file(system_server, rootfs)
 r_dir_file(system_server, sysfs_type)
 
-# Allow system_server to make binder calls to hwservicemanager
-binder_call(system_server, hwservicemanager)
-
 ### Rules needed when Light HAL runs inside system_server process.
 ### These rules should eventually be granted only when needed.
 allow system_server sysfs_leds:lnk_file read;

private/vr_hwc.te

@@ -2,3 +2,5 @@ typeattribute vr_hwc coredomain;
 
 # Daemon started by init.
 init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)

public/cameraserver.te

@@ -8,7 +8,6 @@ binder_call(cameraserver, appdomain)
 binder_service(cameraserver)
 
 hal_client_domain(cameraserver, hal_camera)
-allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
 
 hal_client_domain(cameraserver, hal_graphics_allocator)
 
@@ -27,6 +26,8 @@ allow cameraserver processinfo_service:service_manager find;
 allow cameraserver scheduling_policy_service:service_manager find;
 allow cameraserver surfaceflinger_service:service_manager find;
 
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
 ###
 ### neverallow rules
 ###

public/domain.te

@@ -212,8 +212,6 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 # separately.
 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
-# TODO(b/34454312) remove this when the correct policy is in place
-allow domain default_android_hwservice:hwservice_manager { add find };
 # Workaround for policy compiler being too aggressive and removing hwservice_manager_type
 # when it's not explicitly used in allow rules
 allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
@@ -430,6 +428,22 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set
 # from service name to service_type are defined in service_contexts.
 neverallow * default_android_service:service_manager add;
 
+# Do not allow hwservice_manager add for default_android_hwservice.
+# Instead domains should use a more specific type such as
+# hal_audio_hwservice rather than the generic type.
+# New service_types are defined in hwservice.te and new mappings
+# from service name to service_type are defined in hwservice_contexts.
+neverallow * default_android_hwservice:hwservice_manager { add find };
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
 # Require that domains explicitly label unknown properties, and do not allow
 # anyone but init to modify unknown properties.
 neverallow { domain -init } default_prop:property_service set;

public/dumpstate.te

@@ -94,11 +94,9 @@ r_dir_file(dumpstate, cgroup)
 binder_call(dumpstate, binderservicedomain)
 binder_call(dumpstate, { appdomain netd wificond })
 
-# Vibrate the device after we are done collecting the bugreport
-# For binderized mode:
 hal_client_domain(dumpstate, hal_dumpstate)
 hal_client_domain(dumpstate, hal_graphics_allocator)
-binder_call(dumpstate, hal_vibrator)
+# Vibrate the device after we are done collecting the bugreport
 hal_client_domain(dumpstate, hal_vibrator)
 # For passthrough mode:
 allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };

public/hal_allocator.te

@@ -1,2 +1,6 @@
 # HwBinder IPC from client to server
 binder_call(hal_allocator_client, hal_allocator_server)
+
+add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;

public/hal_audio.te

@@ -2,6 +2,9 @@
 binder_call(hal_audio_client, hal_audio_server)
 binder_call(hal_audio_server, hal_audio_client)
 
+add_hwservice(hal_audio_server, hal_audio_hwservice)
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+
 allow hal_audio ion_device:chr_file r_file_perms;
 
 userdebug_or_eng(`

public/hal_bluetooth.te

@@ -2,6 +2,9 @@
 binder_call(hal_bluetooth_client, hal_bluetooth_server)
 binder_call(hal_bluetooth_server, hal_bluetooth_client)
 
+add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
+allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+
 wakelock_use(hal_bluetooth);
 
 # The HAL toggles rfkill to power the chip off/on.

public/hal_bootctl.te

@@ -1,3 +1,6 @@
 # HwBinder IPC from client to server, and callbacks
 binder_call(hal_bootctl_client, hal_bootctl_server)
 binder_call(hal_bootctl_server, hal_bootctl_client)
+
+add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
+allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;

public/hal_camera.te

@@ -2,7 +2,8 @@
 binder_call(hal_camera_client, hal_camera_server)
 binder_call(hal_camera_server, hal_camera_client)
 
-add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+add_hwservice(hal_camera_server, hal_camera_hwservice)
+allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
 
 # access /data/misc/camera
 allow hal_camera camera_data_file:dir create_dir_perms;

public/hal_configstore.te

@@ -1,2 +1,7 @@
 # HwBinder IPC from client to server
 binder_call(hal_configstore_client, hal_configstore_server)
+
+add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
+# As opposed to the rules of most other HALs, the different services exposed by
+# this HAL should be restricted to different clients. Thus, the allow rules for
+# clients are defined in the .te files of the clients.

public/hal_contexthub.te

@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_contexthub, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
+allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;

public/hal_drm.te

@@ -2,6 +2,11 @@
 binder_call(hal_drm_client, hal_drm_server)
 binder_call(hal_drm_server, hal_drm_client)
 
+add_hwservice(hal_drm_server, hal_drm_hwservice)
+allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
 # Required by Widevine DRM (b/22990512)
 allow hal_drm self:process execmem;
 

public/hal_dumpstate.te

@@ -2,6 +2,9 @@
 binder_call(hal_dumpstate_client, hal_dumpstate_server)
 binder_call(hal_dumpstate_server, hal_dumpstate_client)
 
+add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
+allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+
 # write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
 allow hal_dumpstate shell_data_file:file write;
 # allow reading /proc/interrupts for all hal impls

public/hal_fingerprint.te

@@ -2,6 +2,9 @@
 binder_call(hal_fingerprint_client, hal_fingerprint_server)
 binder_call(hal_fingerprint_server, hal_fingerprint_client)
 
+add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
+allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+
 # allow HAL module to read dir contents
 allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
 

public/hal_gatekeeper.te

@@ -1,5 +1,8 @@
 binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
 
+add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
+allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+
 # TEE access.
 allow hal_gatekeeper tee_device:chr_file rw_file_perms;
 allow hal_gatekeeper ion_device:chr_file r_file_perms;

public/hal_gnss.te

@@ -1 +1,6 @@
-binder_call(hal_gnss, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+add_hwservice(hal_gnss_server, hal_gnss_hwservice)
+allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;

public/hal_graphics_allocator.te

@@ -1,6 +1,10 @@
 # HwBinder IPC from client to server
 binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
 
+add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+
 # GPU device access
 allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
 allow hal_graphics_allocator ion_device:chr_file r_file_perms;

public/hal_graphics_composer.te

@@ -1,5 +1,9 @@
-# IComposerCallback
-binder_call(hal_graphics_composer, surfaceflinger)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+
+add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
+allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
 
 # GPU device access
 allow hal_graphics_composer gpu_device:chr_file rw_file_perms;

public/hal_health.te

@@ -1,5 +1,9 @@
-# call into healthd for callbacks
-binder_call(hal_health, healthd)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+add_hwservice(hal_health_server, hal_health_hwservice)
+allow hal_health_client hal_health_hwservice:hwservice_manager find;
 
 # Read access to system files for HALs in
 # /{system,vendor,odm}/lib[64]/hw/ in order

public/hal_ir.te

@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_ir, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+add_hwservice(hal_ir_server, hal_ir_hwservice)
+allow hal_ir_client hal_ir_hwservice:hwservice_manager find;

public/hal_keymaster.te

@@ -1,5 +1,8 @@
 # HwBinder IPC from client to server
 binder_call(hal_keymaster_client, hal_keymaster_server)
 
+add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
+allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+
 allow hal_keymaster tee_device:chr_file rw_file_perms;
 allow hal_keymaster ion_device:chr_file r_file_perms;

public/hal_light.te

@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_light, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+add_hwservice(hal_light_server, hal_light_hwservice)
+allow hal_light_client hal_light_hwservice:hwservice_manager find;
 
 allow hal_light sysfs_leds:lnk_file read;
 allow hal_light sysfs_leds:file rw_file_perms;

public/hal_memtrack.te

@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
+allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;

public/hal_nfc.te

@@ -2,6 +2,9 @@
 binder_call(hal_nfc_client, hal_nfc_server)
 binder_call(hal_nfc_server, hal_nfc_client)
 
+add_hwservice(hal_nfc_server, hal_nfc_hwservice)
+allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+
 # Set NFC properties (used by bcm2079x HAL).
 set_prop(hal_nfc, nfc_prop)
 

public/hal_power.te

@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+add_hwservice(hal_power_server, hal_power_hwservice)
+allow hal_power_client hal_power_hwservice:hwservice_manager find;

public/hal_sensors.te

@@ -1,6 +1,9 @@
 # HwBinder IPC from client to server
 binder_call(hal_sensors_client, hal_sensors_server)
 
+add_hwservice(hal_sensors_server, hal_sensors_hwservice)
+allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+
 # Allow sensor hals to access ashmem memory allocated by apps
 allow hal_sensors { appdomain -isolated_app }:fd use;
 

public/hal_telephony.te

@@ -1,3 +1,7 @@
-# Perform HwBinder IPC.
-binder_call(hal_telephony, radio)
-binder_call(hal_telephony, bluetooth)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+add_hwservice(hal_telephony_server, hal_telephony_hwservice)
+allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+

public/hal_thermal.te

@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_thermal, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+add_hwservice(hal_thermal_server, hal_thermal_hwservice)
+allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;

public/hal_tv_cec.te

@@ -1,3 +1,6 @@
 # HwBinder IPC from clients into server, and callbacks
 binder_call(hal_tv_cec_client, hal_tv_cec_server)
 binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
+allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;

public/hal_tv_input.te

@@ -1,3 +1,6 @@
 # HwBinder IPC from clients into server, and callbacks
 binder_call(hal_tv_input_client, hal_tv_input_server)
 binder_call(hal_tv_input_server, hal_tv_input_client)
+
+add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
+allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;

public/hal_usb.te

@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_usb, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+add_hwservice(hal_usb_server, hal_usb_hwservice)
+allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
 
 allow hal_usb self:netlink_kobject_uevent_socket create;
 allow hal_usb self:netlink_kobject_uevent_socket setopt;

public/hal_vibrator.te

@@ -1,2 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+
+add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
+allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+
 # vibrator sysfs rw access
 allow hal_vibrator sysfs_vibrator:file rw_file_perms;

public/hal_vr.te

@@ -1,2 +1,6 @@
-# call into system_server process
-binder_call(hal_vr, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+add_hwservice(hal_vr_server, hal_vr_hwservice)
+allow hal_vr_client hal_vr_hwservice:hwservice_manager find;

public/hal_wifi.te

@@ -2,6 +2,9 @@
 binder_call(hal_wifi_client, hal_wifi_server)
 binder_call(hal_wifi_server, hal_wifi_client)
 
+add_hwservice(hal_wifi_server, hal_wifi_hwservice)
+allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+
 r_dir_file(hal_wifi, proc_net)
 r_dir_file(hal_wifi, sysfs_type)
 

public/hal_wifi_supplicant.te

@@ -2,6 +2,9 @@
 binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
 binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
 
+add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
+allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+
 # in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
 allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
 

public/healthd.te

@@ -24,8 +24,6 @@ wakelock_use(healthd)
 binder_use(healthd)
 binder_service(healthd)
 binder_call(healthd, system_server)
-binder_call(healthd, hwservicemanager)
-binder_call(healthd, hal_health)
 hal_client_domain(healthd, hal_health)
 
 # Write to state file.

public/hwservice.te

@@ -1,2 +1,42 @@
-type default_android_hwservice,   hwservice_manager_type;
-type hw_camera_provider_ICameraProvider,             hwservice_manager_type;
+type default_android_hwservice, hwservice_manager_type;
+type fwk_scheduler_hwservice, hwservice_manager_type;
+type fwk_sensor_hwservice, hwservice_manager_type;
+type hal_audio_hwservice, hwservice_manager_type;
+type hal_bluetooth_hwservice, hwservice_manager_type;
+type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_camera_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_contexthub_hwservice, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_fingerprint_hwservice, hwservice_manager_type;
+type hal_gatekeeper_hwservice, hwservice_manager_type;
+type hal_gnss_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_composer_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type;
+type hal_health_hwservice, hwservice_manager_type;
+type hal_ir_hwservice, hwservice_manager_type;
+type hal_keymaster_hwservice, hwservice_manager_type;
+type hal_light_hwservice, hwservice_manager_type;
+type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_nfc_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_power_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type;
+type hal_sensors_hwservice, hwservice_manager_type;
+type hal_telephony_hwservice, hwservice_manager_type;
+type hal_thermal_hwservice, hwservice_manager_type;
+type hal_tv_cec_hwservice, hwservice_manager_type;
+type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_usb_hwservice, hwservice_manager_type;
+type hal_vibrator_hwservice, hwservice_manager_type;
+type hal_vr_hwservice, hwservice_manager_type;
+type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type;
+type hidl_memory_hwservice, hwservice_manager_type;
+type hidl_token_hwservice, hwservice_manager_type;
+type system_wifi_keystore_hwservice, hwservice_manager_type;

public/keystore.te

@@ -7,13 +7,6 @@ binder_use(keystore)
 binder_service(keystore)
 binder_call(keystore, system_server)
 
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# Offer the Wifi Keystore HwBinder service
-hwbinder_use(keystore)
-typeattribute keystore wifi_keystore_service_server;
-
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };

public/mediacodec.te

@@ -34,6 +34,8 @@ allow mediacodec hal_camera:fd use;
 
 crash_dump_fallback(mediacodec)
 
+add_hwservice(mediacodec, hal_omx_hwservice)
+
 hal_client_domain(mediacodec, hal_allocator)
 
 # allocate and use graphic buffers

public/mediaserver.te

@@ -95,6 +95,9 @@ allow mediaserver surfaceflinger_service:service_manager find;
 # for ModDrm/MediaPlayer
 allow mediaserver mediadrmserver_service:service_manager find;
 
+# For interfacing with OMX HAL
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
 # /oem access
 allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;

public/radio.te

@@ -37,5 +37,4 @@ allow radio system_api_service:service_manager find;
 
 # Perform HwBinder IPC.
 hwbinder_use(radio)
-binder_call(radio, hal_telephony)
 hal_client_domain(radio, hal_telephony)

public/te_macros

@@ -509,6 +509,7 @@ define(`add_service', `
 # others from adding it.
 define(`add_hwservice', `
   allow $1 $2:hwservice_manager { add find };
+  allow $1 hidl_base_hwservice:hwservice_manager add;
   neverallow { domain -$1 } $2:hwservice_manager add;
 ')
 

vendor/hal_camera_default.te

@@ -3,3 +3,5 @@ hal_server_domain(hal_camera_default, hal_camera)
 
 type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_camera_default)
+
+allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;

vendor/hal_sensors_default.te

@@ -3,3 +3,5 @@ hal_server_domain(hal_sensors_default, hal_sensors)
 
 type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_sensors_default)
+
+allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;

vendor/hal_wifi_supplicant_default.te

@@ -10,4 +10,5 @@ type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "socke
 
 # Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
 hwbinder_use(hal_wifi_supplicant_default)
+allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
 binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)