From 2ff6b4da73afd1585f292a99337028d23e7941d8 Mon Sep 17 00:00:00 2001
From: Mikhail Naganov <mnaganov@google.com>
Date: Thu, 4 Aug 2016 13:40:23 -0700
Subject: [PATCH] Update SELinux policy for audiohal

Change-Id: Iaa9907ed516c947175a59bf49938c0ee03b4f6d1
---
 private/android_hardware_audio_2_0_service.te |  3 ++
 private/file_contexts                         |  2 ++
 public/android_hardware_audio_2_0_service.te  | 36 +++++++++++++++++++
 public/audioserver.te                         |  3 ++
 public/file.te                                |  1 +
 5 files changed, 45 insertions(+)
 create mode 100644 private/android_hardware_audio_2_0_service.te
 create mode 100644 public/android_hardware_audio_2_0_service.te

diff --git a/private/android_hardware_audio_2_0_service.te b/private/android_hardware_audio_2_0_service.te
new file mode 100644
index 000000000..8a29255f2
--- /dev/null
+++ b/private/android_hardware_audio_2_0_service.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(android_hardware_audio_2_0_service)
diff --git a/private/file_contexts b/private/file_contexts
index c24d2f991..a53c5b166 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -169,6 +169,7 @@
 /system/bin/wificond	u:object_r:wificond_exec:s0
 /system/bin/rild	u:object_r:rild_exec:s0
 /system/bin/audioserver	u:object_r:audioserver_exec:s0
+/system/bin/hw/android\.hardware\.audio@2\.0-service	u:object_r:android_hardware_audio_2_0_service_exec:s0
 /system/bin/mediadrmserver	u:object_r:mediadrmserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
@@ -274,6 +275,7 @@
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
 /data/misc/audioserver(/.*)?    u:object_r:audioserver_data_file:s0
+/data/misc/audiohal(/.*)?       u:object_r:audiohal_data_file:s0
 /data/misc/bootstat(/.*)?       u:object_r:bootstat_data_file:s0
 /data/misc/boottrace(/.*)?      u:object_r:boottrace_data_file:s0
 /data/misc/bluetooth(/.*)?      u:object_r:bluetooth_data_file:s0
diff --git a/public/android_hardware_audio_2_0_service.te b/public/android_hardware_audio_2_0_service.te
new file mode 100644
index 000000000..9da62c8b1
--- /dev/null
+++ b/public/android_hardware_audio_2_0_service.te
@@ -0,0 +1,36 @@
+# android_hardware_audio_2_0_service - audio services daemon
+type android_hardware_audio_2_0_service, domain;
+type android_hardware_audio_2_0_service_exec, exec_type, file_type;
+
+hwbinder_use(android_hardware_audio_2_0_service)
+binder_call(android_hardware_audio_2_0_service, audioserver)
+
+allow android_hardware_audio_2_0_service ion_device:chr_file r_file_perms;
+
+allow android_hardware_audio_2_0_service system_file:dir { open read };
+
+userdebug_or_eng(`
+  # used for pcm capture for debug.
+  allow android_hardware_audio_2_0_service audiohal_data_file:dir create_dir_perms;
+  allow android_hardware_audio_2_0_service audiohal_data_file:file create_file_perms;
+')
+
+r_dir_file(android_hardware_audio_2_0_service, proc)
+allow android_hardware_audio_2_0_service audio_device:dir r_dir_perms;
+allow android_hardware_audio_2_0_service audio_device:chr_file rw_file_perms;
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(android_hardware_audio_2_0_service, bluetooth, bluetooth)
+
+###
+### neverallow rules
+###
+
+# android_hardware_audio_2_0_service should never execute any executable without
+# a domain transition
+neverallow android_hardware_audio_2_0_service { file_type fs_type }:file execute_no_trans;
+
+# android_hardware_audio_2_0_service should never need network access.
+# Disallow network sockets.
+neverallow android_hardware_audio_2_0_service domain:{ tcp_socket udp_socket rawip_socket } *;
\ No newline at end of file
diff --git a/public/audioserver.te b/public/audioserver.te
index b1a84a239..5dea1b3cc 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -9,6 +9,9 @@ binder_call(audioserver, binderservicedomain)
 binder_call(audioserver, { appdomain ephemeral_app })
 binder_service(audioserver)
 
+hwbinder_use(audioserver)
+binder_call(audioserver, android_hardware_audio_2_0_service)
+
 r_dir_file(audioserver, proc)
 allow audioserver ion_device:chr_file r_file_perms;
 allow audioserver system_file:dir r_dir_perms;
diff --git a/public/file.te b/public/file.te
index b622c875a..4867b6710 100644
--- a/public/file.te
+++ b/public/file.te
@@ -142,6 +142,7 @@ type postinstall_file, file_type;
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;
 type audio_data_file, file_type, data_file_type;
+type audiohal_data_file, file_type, data_file_type;
 type audioserver_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
 type bluetooth_logs_data_file, file_type, data_file_type;
-- 
GitLab