Remove hal_light from system_server domain

HAL clients should not be annotated with hal_x and haldomain. This may grant them too much access. Instead, the policy needed for using in-process HALs should be directly embedded into the client's domain rules. Test: Boot sailfish, adjust screen brightness from the system UI, no SELinux denials for system_server to do with sysfs_leds. Bug: 34715716 Change-Id: Iccb4224d770583e3c38930e8562723d57d283077

Remove hal_light from system_server domain
384a73de · Alex Klyubin · a7653ee2 · 384a73de
Commit 384a73de authored 8 years ago by Alex Klyubin
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -4,9 +4,6 @@
 #
 type system_server, domain, domain_deprecated, mlstrustedsubject;

-# Attributes for passthrough hals
-typeattribute system_server hal_light;
-
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 allow system_server dalvikcache_data_file:file { r_file_perms execute };
@@ -610,6 +607,13 @@ r_dir_file(system_server, sysfs_type)
 # Allow system_server to make binder calls to hwservicemanager
 binder_call(system_server, hwservicemanager)

+### Rules needed when Light HAL runs inside system_server process.
+### These rules should eventually be granted only when needed.
+allow system_server sysfs_leds:lnk_file read;
+allow system_server sysfs_leds:file rw_file_perms;
+allow system_server sysfs_leds:dir r_dir_perms;
+###
+
 userdebug_or_eng(`
  # Allow WifiService to start, stop, and read wifi-specific trace events.
  allow system_server debugfs_tracing_instances:dir search;