From 22157e7a86e6d64bf55cea923e92999d05241c5d Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Fri, 7 Apr 2017 13:29:57 -0700
Subject: [PATCH] Treble devices use binderized HALs

All HALs which are represented by hal_* attributes in SELinux policy
are required to run in binderized mode on Treble devices. This commit
thus makes the SELinux policy for Treble devices no longer associate
domains in hal_x_client with hal_x attribute, which is what was
granting domains hosting clients of hal_x the rules needed to run this
HAL in-process. The result is that core components have now less
access.

This commit has no effect on non-Treble devices.

Test: Device boots -- no new denials
Test: Play movie using Google Play Movies and Netflix
Test: Play YouTube clip in YouTube app and in Chrome
Test: Unlock lock screen using fingerprint
Test: Using Google Camera, take a photo, an HDR+ photo, record a
      video with sound, a slow motion video with sound. Photos and
      videos display/play back fine (incl. sound).
Test: adb screencap
Test: $ monitor
      take screenshot
Test: In all tests, no deials to do with hal_*, except pre-existing
      denials to do with hal_gnss.
Bug: 37160141
Bug: 34274385
Bug: 34170079
Change-Id: I1ca91d43592b466114af13898f5909f41e59b521
---
 private/system_server.te | 5 -----
 public/te_macros         | 8 +++++---
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/private/system_server.te b/private/system_server.te
index a4fa493ad..2711a8c1a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -197,11 +197,6 @@ binder_call(system_server, hal_vr)
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_wifi)
 
-# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full
-# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a
-# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket.
-typeattribute system_server socket_between_core_and_vendor_violators;
-
 hal_client_domain(system_server, hal_wifi_supplicant)
 
 # Talk to tombstoned to get ANR traces.
diff --git a/public/te_macros b/public/te_macros
index 020bdc505..3ac0e5dc5 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -175,15 +175,17 @@ define(`hal_client_domain', `
 typeattribute $1 halclientdomain;
 typeattribute $1 $2_client;
 
-# TODO(b/34170079): Make the inclusion of the rules below conditional,
-# once we know at build time whether a HAL is going to run in
-# passthrough or binderized mode.
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
 typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
 allow $2 vendor_file:dir r_dir_perms;
 allow $2 vendor_file:file { read open getattr execute };
 ')
+')
 
 #####################################
 # passthrough_hal_client_domain(domain, hal_type)
-- 
GitLab