Recovery can use HALs only in passthrough mode

This adjusts the grants for recovery to make it explicit that recovery can use the Boot Control HAL only in passthrough mode. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5

Recovery can use HALs only in passthrough mode
00a03d42 · Alex Klyubin · 51a2238c · 00a03d42 · 00a03d42
Commit 00a03d42 authored 8 years ago by Alex Klyubin
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -9,7 +9,8 @@ type recovery, domain, domain_deprecated;
 recovery_only(`
  # Allow recovery to perform an update as update_engine would do.
  typeattribute recovery update_engine_common;
-  hal_client_domain(recovery, hal_bootctl)
+  # Recovery can only use HALs in passthrough mode
+  passthrough_hal_client_domain(recovery, hal_bootctl)

  allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };


--- a/public/te_macros
+++ b/public/te_macros
@@ -203,6 +203,22 @@ typeattribute $1 $2;
 allow $2 system_file:dir r_dir_perms;
 ')

+#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+#   passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+')
+
 #####################################
 # unix_socket_connect(clientdomain, socket, serverdomain)
 # Allow a local socket connection from clientdomain via