Merge "Fastboot AIDL Sepolicy changes"

2022-11-10 18:29:00 +00:00 · 2022-11-10 18:29:00 +00:00 · d64fb55474
commit d64fb55474
parent c041485773 f0ea953e60
10 changed files with 23 additions and 0 deletions
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@ -46,6 +46,7 @@ var (
 		"android.hardware.drm.IDrmFactory/clearkey":                               EXCEPTION_NO_FUZZER,
 		"android.hardware.drm.ICryptoFactory/clearkey":                            EXCEPTION_NO_FUZZER,
 		"android.hardware.dumpstate.IDumpstateDevice/default":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.fastboot.IFastboot/default":                             EXCEPTION_NO_FUZZER,
 		"android.hardware.gatekeeper.IGatekeeper/default":                         EXCEPTION_NO_FUZZER,
 		"android.hardware.gnss.IGnss/default":                                     EXCEPTION_NO_FUZZER,
 		"android.hardware.graphics.allocator.IAllocator/default":                  EXCEPTION_NO_FUZZER,
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -35,4 +35,5 @@
    hal_gatekeeper_service
    hal_broadcastradio_service
    hal_confirmationui_service
+    hal_fastboot_service
  ))
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@ -45,6 +45,9 @@ recovery_only(`

  # Needed for reading boot properties.
  allow fastbootd proc_bootconfig:file r_file_perms;
+  # Let this domain use the hal fastboot service
+  binder_use(fastbootd)
+  hal_client_domain(fastbootd, hal_fastboot)
 ')

 # io_uring_setup needs ipc_lock and permission to operate anon inodes
--- a/private/init.te
+++ b/private/init.te
@ -14,6 +14,7 @@ recovery_only(`
  domain_trans(init, rootfs, hal_bootctl_server)
  domain_trans(init, rootfs, charger)
  domain_trans(init, rootfs, fastbootd)
+  domain_trans(init, rootfs, hal_fastboot_server)
  domain_trans(init, rootfs, hal_health_server)
  domain_trans(init, rootfs, recovery)
  domain_trans(init, rootfs, linkerconfig)
--- a/private/service_contexts
+++ b/private/service_contexts
@ -24,6 +24,7 @@ android.hardware.contexthub.IContextHub/default                      u:object_r:
 android.hardware.drm.IDrmFactory/clearkey                            u:object_r:hal_drm_service:s0
 android.hardware.drm.ICryptoFactory/clearkey                         u:object_r:hal_drm_service:s0
 android.hardware.dumpstate.IDumpstateDevice/default                  u:object_r:hal_dumpstate_service:s0
+android.hardware.fastboot.IFastboot/default                          u:object_r:hal_fastboot_service:s0
 android.hardware.gnss.IGnss/default                                  u:object_r:hal_gnss_service:s0
 android.hardware.graphics.allocator.IAllocator/default               u:object_r:hal_graphics_allocator_service:s0
 android.hardware.graphics.composer3.IComposer/default                u:object_r:hal_graphics_composer_service:s0
--- a/public/attributes
+++ b/public/attributes
@ -338,6 +338,7 @@ hal_attribute(drm);
 hal_attribute(dumpstate);
 hal_attribute(evs);
 hal_attribute(face);
+hal_attribute(fastboot);
 hal_attribute(fingerprint);
 hal_attribute(gatekeeper);
 hal_attribute(gnss);
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@ -13,6 +13,7 @@ recovery_only(`
  # fastbootd can use AIDL HALs in binder mode
  binder_use(fastbootd)
  hal_client_domain(fastbootd, hal_health)
+  hal_client_domain(fastbootd, hal_fastboot)

  # Access /dev/usb-ffs/fastbootd/ep0
  allow fastbootd functionfs:dir search;
--- a/public/hal_fastboot.te
+++ b/public/hal_fastboot.te
@ -0,0 +1,7 @@
+# allow binder connection from client to server
+binder_call(hal_fastboot_client, hal_fastboot_server)
+# allow client to find the service, allow server to register the service
+hal_attribute_service(hal_fastboot, hal_fastboot_service)
+# allow binder communication from server to service_manager
+binder_call(hal_fastboot_server, servicemanager)
+
--- a/public/service.te
+++ b/public/service.te
@ -281,6 +281,7 @@ type hal_drm_service, hal_service_type, service_manager_type;
 type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
 type hal_evs_service, protected_service, hal_service_type, service_manager_type;
 type hal_face_service, protected_service, hal_service_type, service_manager_type;
+type hal_fastboot_service, protected_service, hal_service_type, service_manager_type;
 type hal_fingerprint_service, protected_service, hal_service_type, service_manager_type;
 type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
 type hal_graphics_allocator_service, hal_service_type, service_manager_type;
--- a/vendor/hal_fastboot_default.te
+++ b/vendor/hal_fastboot_default.te
@ -0,0 +1,6 @@
+type hal_fastboot_default, domain;
+
+hal_server_domain(hal_fastboot_default, hal_fastboot)
+
+type hal_fastboot_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fastboot_default)