Merge "Mark all clients of Allocator HAL" am: 73a6f38b94

am: 5d8fcf3bb0

Change-Id: I5f88b48df906acb9381dc853d61dcd5ef8d5e4e4

Android.mk

@@ -124,6 +124,11 @@ sepolicy_build_files := security_classes \
                         genfs_contexts \
                         port_contexts
 
+# CIL files which contain workarounds for current limitation of human-readable
+# module policy language. These files are appended to the CIL files produced
+# from module language files.
+sepolicy_build_cil_workaround_files := technical_debt.cil
+
 my_target_arch := $(TARGET_ARCH)
 ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
   my_target_arch := mips
@@ -250,9 +255,13 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
 plat_policy_nvr := $(intermediates)/plat_policy_nvr.cil
-$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(plat_policy_nvr): PRIVATE_ADDITIONAL_CIL_FILES := \
+  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
+	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
 
 $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr)
 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(plat_policy_nvr)
@@ -1114,6 +1123,7 @@ plat_policy_nvr :=
 plat_pub_policy.cil :=
 reqd_policy_mask.cil :=
 sepolicy_build_files :=
+sepolicy_build_cil_workaround_files :=
 with_asan :=
 
 include $(call all-makefiles-under,$(LOCAL_PATH))

private/app.te

@@ -155,7 +155,6 @@ binder_call(appdomain, ephemeral_app)
 # hidl access for mediacodec
 # TODO(b/34454312): only allow getting and talking to mediacodec service
 hwbinder_use(appdomain)
-hwallocator_use(appdomain)
 
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how

private/audioserver.te

@@ -12,10 +12,9 @@ binder_call(audioserver, binderservicedomain)
 binder_call(audioserver, appdomain)
 binder_service(audioserver)
 
+hal_client_domain(audioserver, hal_allocator)
 hal_client_domain(audioserver, hal_audio)
 
-allow audioserver system_file:dir r_dir_perms;
-
 userdebug_or_eng(`
   # used for TEE sink - pcm capture for debug.
   allow audioserver media_data_file:dir create_dir_perms;

private/system_server.te

@@ -168,7 +168,7 @@ binder_service(system_server)
 
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
-hwallocator_use(system_server)
+hal_client_domain(system_server, hal_allocator)
 binder_call(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)

private/technical_debt.cil

@@ -0,0 +1,13 @@
+; THIS IS A WORKAROUND for the current limitations of the module policy language
+; This should be used sparingly until we figure out a saner way to achieve the
+; stuff below, for example, by improving typeattribute statement of module
+; language.
+;
+; NOTE: This file has no effect on recovery policy.
+
+; Apps, except isolated apps, are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { appdomain -isolated_app } hal_allocator_client;
+;     typeattribute hal_allocator_client halclientdomain;
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset halclientdomain (hal_allocator_client))

public/hal_allocator.te

@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server
+binder_call(hal_allocator_client, hal_allocator_server)

public/hal_audio.te

@@ -2,14 +2,8 @@
 binder_call(hal_audio_client, hal_audio_server)
 binder_call(hal_audio_server, hal_audio_client)
 
-# Both client and the server need to use hwallocator
-hwallocator_use(hal_audio_client)
-hwallocator_use(hal_audio_server)
-
 allow hal_audio ion_device:chr_file r_file_perms;
 
-allow hal_audio system_file:dir { open read };
-
 userdebug_or_eng(`
   # used for pcm capture for debug.
   allow hal_audio audiohal_data_file:dir create_dir_perms;

public/mediacodec.te

@@ -25,10 +25,7 @@ allow mediacodec hal_camera:fd use;
 
 crash_dump_fallback(mediacodec)
 
-# hidl access
-hwbinder_use(mediacodec)
-hwallocator_use(mediacodec)
-allow mediacodec system_file:dir { open read };
+hal_client_domain(mediacodec, hal_allocator)
 
 # Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
 # directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge

public/mediaserver.te

@@ -136,9 +136,7 @@ allow mediaserver hal_camera:fd use;
 
 allow mediaserver system_server:fd use;
 
-# hidl access
-hwbinder_use(mediaserver)
-hwallocator_use(mediaserver)
+hal_client_domain(mediaserver, hal_allocator)
 
 ###
 ### neverallow rules

public/te_macros

@@ -327,14 +327,6 @@ define(`binder_service', `
 typeattribute $1 binderservicedomain;
 ')
 
-#####################################
-# hwallocator_use(domain)
-# Allow a domain to use Hidl shared memory
-define(`hwallocator_use', `
-# Call into the allocator hal
-binder_call($1, hal_allocator_server);
-')
-
 #####################################
 # wakelock_use(domain)
 # Allow domain to manage wake locks

vendor/hal_audio_default.te

@@ -3,3 +3,5 @@ hal_server_domain(hal_audio_default, hal_audio)
 
 type hal_audio_default_exec, exec_type, file_type;
 init_daemon_domain(hal_audio_default)
+
+hal_client_domain(hal_audio_default, hal_allocator)