Add permissions for hal_boot

The service running the boot control HAL needs the permissions provided by the boot_control_hal attribute. update_engine and update_verifier still also need these permissions in order to successfully call the new HAL in pass-through mode, but also need permission to call the new service. Bug: 31864052 Test: Built and confirmed no permission denials. Change-Id: I2a6fdd5cf79b9e461d7cc14bd5b7abd6481ed911 Signed-off-by: Connor O'Brien <connoro@google.com>

Add permissions for hal_boot
12443b7a · Connor O'Brien · 1eb00fb6 · 12443b7a · 12443b7a · 12443b7a
Commit 12443b7a authored 8 years ago by Connor O'Brien
--- a/public/hal_boot.te
+++ b/public/hal_boot.te
 # boot_control subsystem
-type hal_boot, domain;
+type hal_boot, domain, boot_control_hal;
 type hal_boot_exec, exec_type, file_type;

 # hwbinder access

--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -33,3 +33,7 @@ binder_call(update_engine, priv_app)
 # Read OTA zip file at /data/ota_package/.
 allow update_engine ota_package_file:file r_file_perms;
 allow update_engine ota_package_file:dir r_dir_perms;
+
+# Use binderized HAL
+hwbinder_use(update_engine)
+binder_call(update_engine, hal_boot)
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -16,5 +16,3 @@ allow update_verifier system_block_device:blk_file r_file_perms;
 # Use binderized HAL
 hwbinder_use(update_verifier)
 binder_call(update_verifier, hal_boot)
-
-allow update_verifier system_file:dir r_dir_perms;