From 6907e39aa4d0d1727269bfa1e407d078f486ae28 Mon Sep 17 00:00:00 2001
From: Daniel Nicoara <dnicoara@google.com>
Date: Tue, 14 Mar 2017 16:26:17 -0400
Subject: [PATCH] VR: Add sepolicy for VR HWC service

VR HWC is being split out of VR Window Manager. It creates a HW binder
interface used by SurfaceFlinger which implements the HWComposer HAL and
a regular binder interface which will be used by a system app to receive
the SurfaceFlinger output.

Bug: b/36051907
Test: Ran in permissive mode and ensured no permission errors show in
logcat.

Change-Id: If1360bc8fa339a80100124c4e89e69c64b29d2ae
---
 private/file_contexts    |  1 +
 private/service_contexts |  1 +
 private/system_app.te    |  2 +-
 private/vr_hwc.te        |  4 ++++
 public/dumpstate.te      |  2 +-
 public/service.te        |  1 +
 public/shell.te          |  2 +-
 public/vr_hwc.te         | 29 +++++++++++++++++++++++++++++
 public/vr_wm.te          |  7 ++-----
 9 files changed, 41 insertions(+), 8 deletions(-)
 create mode 100644 private/vr_hwc.te
 create mode 100644 public/vr_hwc.te

diff --git a/private/file_contexts b/private/file_contexts
index 668714491..7a52e5cd2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -256,6 +256,7 @@
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
+/system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 
 #############################
 # Vendor files
diff --git a/private/service_contexts b/private/service_contexts
index db2e9f6c2..a65cb01a2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -157,6 +157,7 @@ vibrator                                  u:object_r:vibrator_service:s0
 virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
 vr_window_manager                         u:object_r:vr_window_manager_service:s0
+vr_hwc                                    u:object_r:vr_hwc_service:s0
 vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0
 webviewupdate                             u:object_r:webviewupdate_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 1e2245f98..bab49c13d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -57,7 +57,7 @@ binder_call(system_app, incidentd)
 
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
 
 allow system_app keystore:keystore_key {
     get_state
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
new file mode 100644
index 000000000..51d242061
--- /dev/null
+++ b/private/vr_hwc.te
@@ -0,0 +1,4 @@
+typeattribute vr_hwc coredomain;
+
+# Daemon started by init.
+init_daemon_domain(vr_hwc)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9b5432977..bfbb43bca 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -170,7 +170,7 @@ userdebug_or_eng(`
   allow dumpstate misc_logd_file:file r_file_perms;
 ')
 
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
 allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/public/service.te b/public/service.te
index 444f82a57..f8fa174fe 100644
--- a/public/service.te
+++ b/public/service.te
@@ -28,6 +28,7 @@ type system_app_service,        service_manager_type;
 type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vr_window_manager_service, service_manager_type;
+type vr_hwc_service,            service_manager_type;
 
 # system_server_services broken down
 type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 0e55f8490..caf93ca63 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -82,7 +82,7 @@ allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
 # TODO: why is this so broad? Tightening candidate? It needs at list:
 # - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
 allow shell dumpstate:binder call;
 
 # allow shell to get information from hwservicemanager
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
new file mode 100644
index 000000000..b0d3ad927
--- /dev/null
+++ b/public/vr_hwc.te
@@ -0,0 +1,29 @@
+type vr_hwc, domain;
+type vr_hwc_exec, exec_type, file_type;
+
+# Get buffer metadata.
+hal_client_domain(vr_hwc, hal_graphics_allocator)
+
+binder_use(vr_hwc)
+binder_service(vr_hwc)
+
+binder_call(vr_hwc, surfaceflinger)
+binder_call(vr_hwc, vr_wm)
+
+add_service(vr_hwc, vr_hwc_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_hwc)
+
+# Load vendor libraries.
+allow vr_hwc system_file:dir r_dir_perms;
+
+allow vr_hwc ion_device:chr_file r_file_perms;
+
+# Allow connection to VR DisplayClient to get the primary display metadata
+# (ie: size).
+use_pdx(vr_hwc, surfaceflinger)
+
+# Limit access so only vr_wm can connect.
+neverallow { domain -vr_hwc -vr_wm } vr_hwc_service:service_manager find;
diff --git a/public/vr_wm.te b/public/vr_wm.te
index deedb0a00..1e486097d 100644
--- a/public/vr_wm.te
+++ b/public/vr_wm.te
@@ -4,18 +4,15 @@ type vr_wm_exec, exec_type, file_type;
 hal_client_domain(vr_wm, hal_graphics_allocator)
 
 binder_use(vr_wm)
-binder_call(vr_wm, surfaceflinger)
 binder_call(vr_wm, virtual_touchpad)
+binder_call(vr_wm, vr_hwc)
 
 allow vr_wm virtual_touchpad_service:service_manager find;
+allow vr_wm vr_hwc_service:service_manager find;
 
 binder_service(vr_wm)
 add_service(vr_wm, vr_window_manager_service)
 
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_wm)
-
 # Load vendor libraries.
 allow vr_wm system_file:dir r_dir_perms;