Revert^2 "Adds a sepolicy for EVS manager service"

0137c98b90 Bug: 216727303 Test: m -j selinux_policy on failed targets reported in b/218802298 Change-Id: I2ae2fc85a4055f2cb7d19ff70b120e7b7ff0957d
2022-02-10 14:09:02 +00:00 · 2022-02-10 14:09:02 +00:00 · 8c12609bce
commit 8c12609bce
parent 0137c98b90
8 changed files with 56 additions and 1 deletions
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@ -19,6 +19,8 @@
    diced
    diced_exec
    fwk_automotive_display_service
+    evsmanagerd
+    evsmanagerd_service
    extra_free_kbytes
    extra_free_kbytes_exec
    fs_bpf_vendor
--- a/private/evsmanagerd.te
+++ b/private/evsmanagerd.te
@ -0,0 +1,39 @@
+# evsmanager
+typeattribute evsmanagerd coredomain;
+typeattribute evsmanagerd evsmanager_service_server;
+
+type evsmanagerd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(evsmanagerd);
+
+# Declares as a binder service
+binder_service(evsmanagerd)
+
+# Allows to add a service to service_manager
+add_service(evsmanagerd, evsmanagerd_service)
+
+# Allows to use the binder IPC
+binder_use(evsmanagerd)
+
+# Allows binder IPCs to the various system services
+binder_call(evsmanagerd, system_server)
+
+# Allows to use EVS HAL implementations
+hal_client_domain(evsmanagerd, hal_evs)
+
+# Allows to write messages to the shell
+allow evsmanagerd shell:fd use;
+allow evsmanagerd shell:fifo_file write;
+
+# Allows to use the graphics allocator
+allow evsmanagerd hal_graphics_allocator:fd use;
+
+# Allows to use a bootstrap statsd
+allow evsmanagerd statsbootstrap_service:service_manager find;
+
+# Allows binder IPCs to the CarService
+binder_call(evsmanagerd, appdomain)
+
+# For HIDL evs manager implementation
+allow evsmanagerd hal_evs_hwservice:hwservice_manager add;
+allow evsmanagerd hidl_base_hwservice:hwservice_manager add;
--- a/private/file_contexts
+++ b/private/file_contexts
@ -377,6 +377,8 @@
 /system/bin/odsign               u:object_r:odsign_exec:s0
 /system/bin/vehicle_binding_util     u:object_r:vehicle_binding_util_exec:s0
 /system/bin/cardisplayproxyd     u:object_r:automotive_display_service_exec:s0
+/system/bin/evsmanagerd          u:object_r:evsmanagerd_exec:s0
+/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0

 #############################
 # Vendor files
--- a/private/service_contexts
+++ b/private/service_contexts
@ -75,6 +75,7 @@ aidl_lazy_test_1                          u:object_r:aidl_lazy_test_service:s0
 aidl_lazy_test_2                          u:object_r:aidl_lazy_test_service:s0
 aidl_lazy_cb_test                         u:object_r:aidl_lazy_test_service:s0
 alarm                                     u:object_r:alarm_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/default u:object_r:evsmanagerd_service:s0
 android.os.UpdateEngineService            u:object_r:update_engine_service:s0
 android.os.UpdateEngineStableService      u:object_r:update_engine_stable_service:s0
 android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_automotive_display_service:s0
--- a/public/attributes
+++ b/public/attributes
@ -394,6 +394,7 @@ hal_attribute(wifi_supplicant);
 attribute automotive_display_service_server;
 attribute camera_service_server;
 attribute display_service_server;
+attribute evsmanager_service_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;
--- a/public/evsmanagerd.te
+++ b/public/evsmanagerd.te
@ -0,0 +1,2 @@
+# evsmanager daemon
+type evsmanagerd, domain;
--- a/public/hal_evs.te
+++ b/public/hal_evs.te
@ -1,5 +1,12 @@
 hwbinder_use(hal_evs_client)
 hwbinder_use(hal_evs_server)
+
 binder_call(hal_evs_client, hal_evs_server)
 binder_call(hal_evs_server, hal_evs_client)
-hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+
+# Below lines are equivalent to hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+# except it allows evsmanagerd to add hal_evs_hwservice.
+allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
+allow hal_evs_server hal_evs_hwservice:hwservice_manager { add find };
+allow hal_evs_server hidl_base_hwservice:hwservice_manager add;
+neverallow { domain -hal_evs_server -evsmanagerd } hal_evs_hwservice:hwservice_manager add;
--- a/public/service.te
+++ b/public/service.te
@ -13,6 +13,7 @@ type dice_node_service,         service_manager_type;
 type dnsresolver_service,       service_manager_type;
 type drmserver_service,         service_manager_type;
 type dumpstate_service,         service_manager_type;
+type evsmanagerd_service,       service_manager_type;
 type fingerprintd_service,      service_manager_type;
 type fwk_automotive_display_service, service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;