Merge "Make system server a client of boot control HAL"

2021-01-21 23:18:55 +00:00 · 2021-01-21 23:18:55 +00:00 · d06dfa3320
commit d06dfa3320
parent 314e6d9450 c447b9b09c
2 changed files with 10 additions and 0 deletions
--- a/private/system_server.te
+++ b/private/system_server.te
@ -275,6 +275,10 @@ hal_client_domain(system_server, hal_weaver)
 hal_client_domain(system_server, hal_wifi)
 hal_client_domain(system_server, hal_wifi_hostapd)
 hal_client_domain(system_server, hal_wifi_supplicant)
+# The bootctl is a pass through HAL mode under recovery mode. So we skip the
+# permission for recovery in order not to give system server the access to
+# the low level block devices.
+not_recovery(`hal_client_domain(system_server, hal_bootctl)')

 # Talk with graphics composer fences
 allow system_server hal_graphics_composer:fd use;
--- a/public/te_macros
+++ b/public/te_macros
@ -466,6 +466,12 @@ define(`non_system_app_set', `{ appdomain -system_app }')
 #
 define(`recovery_only', ifelse(target_recovery, `true', $1, ))

+#####################################
+# Not recovery
+# SELinux rules which apply only to non-recovery (normal) mode
+#
+define(`not_recovery', ifelse(target_recovery, `true', , $1))
+
 #####################################
 # Full TREBLE only
 # SELinux rules which apply only to full TREBLE devices