From 1f3294659d7d122ba87dc35632aa47df5cb6a81b Mon Sep 17 00:00:00 2001
From: Alex Deymo <deymo@google.com>
Date: Tue, 8 Nov 2016 16:04:17 -0800
Subject: [PATCH] Move boot_control_hal attribute to hal_boot domain

Grant boot_control_hal permissions to the hal_boot service;
update_engine and update_verifier can call that service rather
than using those permissions themselves.

Bug: 31864052
Test: `bootctl set-active-boot-slot 1`
Change-Id: I5188bc32e7933d4a0f5135b3246df119d3523d69
---
 public/hal_boot.te        | 2 +-
 public/update_engine.te   | 7 +++++--
 public/update_verifier.te | 6 ++----
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/public/hal_boot.te b/public/hal_boot.te
index 327fbf98f..3cbbb2916 100644
--- a/public/hal_boot.te
+++ b/public/hal_boot.te
@@ -1,5 +1,5 @@
 # boot_control subsystem
-type hal_boot, domain;
+type hal_boot, domain, boot_control_hal;
 type hal_boot_exec, exec_type, file_type;
 
 # hwbinder access
diff --git a/public/update_engine.te b/public/update_engine.te
index a3dee0db7..f4096279c 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,6 +1,5 @@
 # Domain for update_engine daemon.
-# update_engine uses the boot_control_hal.
-type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
+type update_engine, domain, domain_deprecated, update_engine_common;
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;
 
@@ -33,3 +32,7 @@ binder_call(update_engine, priv_app)
 # Read OTA zip file at /data/ota_package/.
 allow update_engine ota_package_file:file r_file_perms;
 allow update_engine ota_package_file:dir r_dir_perms;
+
+# Use binderized boot HAL.
+hwbinder_use(update_engine)
+binder_call(update_engine, hal_boot)
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 550cf659f..45761e20b 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -1,6 +1,5 @@
 # update_verifier
-# update_verifier uses the boot_control_hal.
-type update_verifier, domain, boot_control_hal;
+type update_verifier, domain;
 type update_verifier_exec, exec_type, file_type;
 
 # Allow update_verifier to reach block devices in /dev/block.
@@ -13,8 +12,7 @@ allow update_verifier ota_package_file:file r_file_perms;
 # Read all blocks in system partition.
 allow update_verifier system_block_device:blk_file r_file_perms;
 
-# Use binderized HAL
+# Use binderized boot HAL.
 hwbinder_use(update_verifier)
 binder_call(update_verifier, hal_boot)
 
-allow update_verifier system_file:dir r_dir_perms;
-- 
GitLab