Add sepolicies for CPU HAL.

Change-Id: Ia091bf8f597a25351b5ee33b2c2afc982f175d51 Test: Ran `m; emulator; adb logcat -b all -d > logcat.txt;` and verified CPU HAL is running without any sepolicy violation. Bug: 252883241
2022-10-13 17:26:14 +00:00 · 2022-10-13 17:26:14 +00:00 · f4ab6c9f3c
commit f4ab6c9f3c
parent 080c579d47
13 changed files with 34 additions and 0 deletions
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@ -43,6 +43,7 @@ var (
 		"android.hardware.cas.IMediaCasService/default":                           EXCEPTION_NO_FUZZER,
 		"android.hardware.confirmationui.IConfirmationUI/default":                 []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
 		"android.hardware.contexthub.IContextHub/default":                         EXCEPTION_NO_FUZZER,
 		"android.hardware.cpu.monitor.IMonitor/default":                           EXCEPTION_NO_FUZZER,
 		"android.hardware.drm.IDrmFactory/clearkey":                               EXCEPTION_NO_FUZZER,
 		"android.hardware.drm.ICryptoFactory/clearkey":                            EXCEPTION_NO_FUZZER,
 		"android.hardware.dumpstate.IDumpstateDevice/default":                     EXCEPTION_NO_FUZZER,
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -13,6 +13,8 @@
    devicelock_service
    hal_bootctl_service
    hal_cas_service
    hal_cpu_hwservice
    hal_cpu_service
    hal_remoteaccess_service
    hal_thermal_service
    hal_usb_gadget_service
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@ -27,6 +27,7 @@ android.hardware.configstore::ISurfaceFlingerConfigs            u:object_r:hal_c
 android.hardware.confirmationui::IConfirmationUI                u:object_r:hal_confirmationui_hwservice:s0
 android.hardware.contexthub::IContexthub                        u:object_r:hal_contexthub_hwservice:s0
 android.hardware.cas::IMediaCasService                          u:object_r:hal_cas_hwservice:s0
 android.hardware.cpu.monitor::IMonitor                          u:object_r:hal_cpu_hwservice:s0
 android.hardware.drm::ICryptoFactory                            u:object_r:hal_drm_hwservice:s0
 android.hardware.drm::IDrmFactory                               u:object_r:hal_drm_hwservice:s0
 android.hardware.dumpstate::IDumpstateDevice                    u:object_r:hal_dumpstate_hwservice:s0
--- a/private/service_contexts
+++ b/private/service_contexts
@ -21,6 +21,7 @@ android.hardware.camera.provider.ICameraProvider/internal/0          u:object_r:
 android.hardware.cas.IMediaCasService/default                        u:object_r:hal_cas_service:s0
 android.hardware.confirmationui.IConfirmationUI/default              u:object_r:hal_confirmationui_service:s0
 android.hardware.contexthub.IContextHub/default                      u:object_r:hal_contexthub_service:s0
 android.hardware.cpu.monitor.IMonitor/default                        u:object_r:hal_cpu_service:s0
 android.hardware.drm.IDrmFactory/clearkey                            u:object_r:hal_drm_service:s0
 android.hardware.drm.ICryptoFactory/clearkey                         u:object_r:hal_drm_service:s0
 android.hardware.dumpstate.IDumpstateDevice/default                  u:object_r:hal_dumpstate_service:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -310,6 +310,7 @@ hal_client_domain(system_server, hal_broadcastradio)
 hal_client_domain(system_server, hal_codec2)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_cpu)
 hal_client_domain(system_server, hal_face)
 hal_client_domain(system_server, hal_fingerprint)
 hal_client_domain(system_server, hal_gnss)
@ -391,6 +392,7 @@ allow system_server {
  hal_bluetooth_server
  hal_camera_server
  hal_codec2_server
  hal_cpu_server
  hal_face_server
  hal_fingerprint_server
  hal_gnss_server
--- a/public/attributes
+++ b/public/attributes
@ -333,6 +333,7 @@ hal_attribute(codec2);
 hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
 hal_attribute(cpu);
 hal_attribute(dice);
 hal_attribute(drm);
 hal_attribute(dumpstate);
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@ -81,6 +81,7 @@ allow dumpstate {
  hal_broadcastradio_server
  hal_camera_server
  hal_codec2_server
  hal_cpu_server
  hal_drm_server
  hal_evs_server
  hal_face_server
@ -150,6 +151,7 @@ binder_call(dumpstate, { appdomain netd wificond })
 # Allow dumpstate to call dump() on specific hals.
 dump_hal(hal_authsecret)
 dump_hal(hal_contexthub)
 dump_hal(hal_cpu)
 dump_hal(hal_drm)
 dump_hal(hal_dumpstate)
 dump_hal(hal_face)
--- a/public/hal_cpu.te
+++ b/public/hal_cpu.te
@ -0,0 +1,9 @@
 # HwBinder IPC from client to server, and callbacks
 binder_call(hal_cpu_client, hal_cpu_server)
 binder_call(hal_cpu_server, hal_cpu_client)
 hal_attribute_hwservice(hal_cpu, hal_cpu_hwservice)
 hal_attribute_service(hal_cpu, hal_cpu_service)
 binder_call(hal_cpu_server, servicemanager)
 binder_call(hal_cpu_client, servicemanager)
--- a/public/hwservice.te
+++ b/public/hwservice.te
@ -19,6 +19,7 @@ type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_cpu_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
--- a/public/service.te
+++ b/public/service.te
@ -276,6 +276,7 @@ type hal_camera_service, protected_service, hal_service_type, service_manager_ty
 type hal_cas_service, hal_service_type, service_manager_type;
 type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
 type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
 type hal_cpu_service, protected_service, hal_service_type, service_manager_type;
 type hal_dice_service, protected_service, hal_service_type, service_manager_type;
 type hal_drm_service, hal_service_type, service_manager_type;
 type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
--- a/public/su.te
+++ b/public/su.te
@ -72,6 +72,7 @@ userdebug_or_eng(`
  typeattribute su hal_configstore_client;
  typeattribute su hal_confirmationui_client;
  typeattribute su hal_contexthub_client;
  typeattribute su hal_cpu_client;
  typeattribute su hal_drm_client;
  typeattribute su hal_cas_client;
  typeattribute su hal_dumpstate_client;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -35,6 +35,7 @@
 /(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service     u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example    u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cpu\.monitor-service\.example u:object_r:hal_cpu_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy       u:object_r:hal_drm_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service(-lazy)?\.clearkey u:object_r:hal_drm_clearkey_aidl_exec:s0
--- a/vendor/hal_cpu_default.te
+++ b/vendor/hal_cpu_default.te
@ -0,0 +1,11 @@
 type hal_cpu_default, domain;
 hal_server_domain(hal_cpu_default, hal_cpu)
 type hal_cpu_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_cpu_default)
 # Allow reading /proc/stat
 allow hal_cpu_default proc_stat:file r_file_perms;
 # Allow reading cpuset information
 allow hal_cpu_default cgroup:dir r_dir_perms;