From 23e0a7f23ac7a33a877781a642e243fb215f6a76 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 23 Jun 2017 08:40:16 -0700
Subject: [PATCH] system_server is a client of configstore

avc:  denied  { find } for
interface=android.hardware.configstore::ISurfaceFlingerConfigs
scontext=u:r:system_server:s0
tcontext=u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
tclass=hwservice_manager permissive=0

Bug: 35197529
Test: Device boots without this denial
Change-Id: Ia43bc5879e03a1f2056e373b17cc6533636f98b1
---
 private/app.te            | 3 ---
 private/surfaceflinger.te | 1 -
 private/system_server.te  | 1 +
 public/hal_configstore.te | 2 ++
 4 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/private/app.te b/private/app.te
index 25dbdb70b..bbd4b9269 100644
--- a/private/app.te
+++ b/private/app.te
@@ -69,9 +69,6 @@ allow appdomain appdomain:fifo_file rw_file_perms;
 # Communicate with surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
-# Query whether a Surface supports wide color
-allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-
 # App sandbox file accesses.
 allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
 allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 3595ee426..b33035e8e 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -14,7 +14,6 @@ read_runtime_log_tags(surfaceflinger)
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 hal_client_domain(surfaceflinger, hal_configstore)
-allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
 allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
 
 # Perform Binder IPC.
diff --git a/private/system_server.te b/private/system_server.te
index 99dc66314..3c3f82d97 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -177,6 +177,7 @@ binder_service(system_server)
 
 # Use HALs
 hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)
 hal_client_domain(system_server, hal_gnss)
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 4bf6cfd52..66a168e40 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,6 +1,8 @@
 # HwBinder IPC from client to server
 binder_call(hal_configstore_client, hal_configstore_server)
 
+allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
 add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
 # As opposed to the rules of most other HALs, the different services exposed by
 # this HAL should be restricted to different clients. Thus, the allow rules for
-- 
GitLab