From 254d757289c7ecbee235ab2d3da9d5b089b8f006 Mon Sep 17 00:00:00 2001
From: Ivailo Karamanolev <ivailok@google.com>
Date: Tue, 21 Jan 2020 16:37:44 +0100
Subject: [PATCH] Add rules for Lights AIDL HAL

Test: manual; yukawa and cuttlefish; adb logcat | grep -i avc
Bug: 142230898
Change-Id: I9f576511d1fc77c5f0ad3cf1b96b038b301773d7
---
 private/blank_screen.te             | 2 ++
 private/compat/29.0/29.0.ignore.cil | 2 ++
 private/service_contexts            | 2 ++
 public/domain.te                    | 1 +
 public/hal_light.te                 | 7 +++++++
 public/service.te                   | 2 ++
 6 files changed, 16 insertions(+)

diff --git a/private/blank_screen.te b/private/blank_screen.te
index 51310d180..69dd7e6a0 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -4,3 +4,5 @@ type blank_screen_exec, exec_type, file_type, system_file_type;
 init_daemon_domain(blank_screen)
 
 hal_client_domain(blank_screen, hal_light)
+
+allow blank_screen hal_light_service:service_manager find;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 3a5be19d0..322360d55 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -34,6 +34,7 @@
     hal_can_bus_hwservice
     hal_can_controller_hwservice
     hal_identity_hwservice
+    hal_light_service
     hal_power_service
     hal_rebootescrow_service
     hal_tv_tuner_hwservice
@@ -51,6 +52,7 @@
     mediatranscoding_exec
     mediatranscoding_tmpfs
     mirror_data_file
+    light_service
     linker_prop
     linkerconfig_file
     mock_ota_prop
diff --git a/private/service_contexts b/private/service_contexts
index 641798a6b..19d3b0dfa 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.light.ILights/default                               u:object_r:hal_light_service:s0
 android.hardware.power.IPower/default                                u:object_r:hal_power_service:s0
 android.hardware.rebootescrow.IRebootEscrow/default                  u:object_r:hal_rebootescrow_service:s0
 android.hardware.vibrator.IVibrator/default                          u:object_r:hal_vibrator_service:s0
@@ -114,6 +115,7 @@ isms                                      u:object_r:radio_service:s0
 isub                                      u:object_r:radio_service:s0
 jobscheduler                              u:object_r:jobscheduler_service:s0
 launcherapps                              u:object_r:launcherapps_service:s0
+lights                                    u:object_r:light_service:s0
 location                                  u:object_r:location_service:s0
 lock_settings                             u:object_r:lock_settings_service:s0
 looper_stats                              u:object_r:looper_stats_service:s0
diff --git a/public/domain.te b/public/domain.te
index feb043512..4dc218acc 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -652,6 +652,7 @@ full_treble_only(`
     -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
     -cameraserver_service
     -drmserver_service
+    -hal_light_service # TODO(b/148154485) remove once all violators are gone
     -keystore_service
     -mediadrmserver_service
     -mediaextractor_service
diff --git a/public/hal_light.te b/public/hal_light.te
index 333fcac60..1e70b74d5 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -4,6 +4,13 @@ binder_call(hal_light_server, hal_light_client)
 
 hal_attribute_hwservice(hal_light, hal_light_hwservice)
 
+add_service(hal_light_server, hal_light_service)
+binder_call(hal_light_server, servicemanager)
+
+allow hal_light_client hal_light_service:service_manager find;
+
+allow hal_light_server dumpstate:fifo_file write;
+
 allow hal_light sysfs_leds:lnk_file read;
 allow hal_light sysfs_leds:file rw_file_perms;
 allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/public/service.te b/public/service.te
index d9bf83df4..76e642d5a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -117,6 +117,7 @@ type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_se
 type iris_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type lock_settings_service, system_api_service, system_server_service, service_manager_type;
 type looper_stats_service, system_server_service, service_manager_type;
@@ -205,6 +206,7 @@ type tethering_service, app_api_service, ephemeral_app_api_service, system_serve
 ### HAL Services
 ###
 
+type hal_light_service, vendor_service, service_manager_type;
 type hal_power_service, vendor_service, service_manager_type;
 type hal_rebootescrow_service, vendor_service, service_manager_type;
 type hal_vibrator_service, vendor_service, service_manager_type;