From 00a03d424fbaf96c62863eae8a5cf279fcd7b8ab Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 20 Mar 2017 13:11:33 -0700
Subject: [PATCH] Recovery can use HALs only in passthrough mode

This adjusts the grants for recovery to make it explicit that recovery
can use the Boot Control HAL only in passthrough mode.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079

Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5
---
 public/recovery.te |  3 ++-
 public/te_macros   | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/public/recovery.te b/public/recovery.te
index a61c8e94f..1ec19c5ad 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -9,7 +9,8 @@ type recovery, domain, domain_deprecated;
 recovery_only(`
   # Allow recovery to perform an update as update_engine would do.
   typeattribute recovery update_engine_common;
-  hal_client_domain(recovery, hal_bootctl)
+  # Recovery can only use HALs in passthrough mode
+  passthrough_hal_client_domain(recovery, hal_bootctl)
 
   allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
 
diff --git a/public/te_macros b/public/te_macros
index bc5da6037..97dd948fc 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -203,6 +203,22 @@ typeattribute $1 $2;
 allow $2 system_file:dir r_dir_perms;
 ')
 
+#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+#   passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+')
+
 #####################################
 # unix_socket_connect(clientdomain, socket, serverdomain)
 # Allow a local socket connection from clientdomain via
-- 
GitLab