From 2370fc775cf9c6bd8c2aed83e6501afa7d863037 Mon Sep 17 00:00:00 2001
From: Connor O'Brien <connoro@google.com>
Date: Wed, 12 Oct 2016 15:15:12 -0700
Subject: [PATCH] sepolicy for boot_control HAL service

Bug: 31864052
Test: Logging confirms service runs on boot
Merged-In: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Change-Id: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Signed-off-by: Connor O'Brien <connoro@google.com>
---
 private/file_contexts   | 1 +
 private/hal_boot.te     | 2 ++
 public/hal_boot.te      | 9 +++++++++
 public/system_server.te | 1 +
 4 files changed, 13 insertions(+)
 create mode 100644 private/hal_boot.te
 create mode 100644 public/hal_boot.te

diff --git a/private/file_contexts b/private/file_contexts
index a53c5b166..c0e6fcfe5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -222,6 +222,7 @@
 /system/bin/hw/wifi_hal_legacy   u:object_r:wifi_hal_legacy_exec:s0
 /system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
 /system/lib(64)?/libart.*        u:object_r:libart_file:s0
+/system/bin/hw/android.hardware.boot@1.0-service u:object_r:hal_boot_exec:s0
 /system/bin/hw/android.hardware.nfc@1.0-service   u:object_r:android_hardware_nfc_1_0_service_exec:s0
 /system/bin/hw/android.hardware.vibrator@1.0-service   u:object_r:android_hardware_vibrator_service_exec:s0
 /system/bin/hw/android.hardware.vr@1.0-service   u:object_r:android_hardware_vr_exec:s0
diff --git a/private/hal_boot.te b/private/hal_boot.te
new file mode 100644
index 000000000..1307afdfa
--- /dev/null
+++ b/private/hal_boot.te
@@ -0,0 +1,2 @@
+# may be started by init
+init_daemon_domain(hal_boot)
diff --git a/public/hal_boot.te b/public/hal_boot.te
new file mode 100644
index 000000000..327fbf98f
--- /dev/null
+++ b/public/hal_boot.te
@@ -0,0 +1,9 @@
+# boot_control subsystem
+type hal_boot, domain;
+type hal_boot_exec, exec_type, file_type;
+
+# hwbinder access
+hwbinder_use(hal_boot)
+
+# call into system_server process (callbacks)
+binder_call(hal_boot, system_server)
diff --git a/public/system_server.te b/public/system_server.te
index 249a3d348..35f1b7306 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -147,6 +147,7 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 
 # Perform Binder IPC.
 binder_use(system_server)
+binder_call(system_server, hal_boot)
 binder_call(system_server, android_hardware_vibrator_service)
 binder_call(system_server, android_hardware_vr)
 binder_call(system_server, binderservicedomain)
-- 
GitLab