From 384a73deb27f86fefd05f1dd4d20975f9b509ad7 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 26 Jan 2017 15:12:09 -0800
Subject: [PATCH] Remove hal_light from system_server domain

HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

Test: Boot sailfish, adjust screen brightness from the system UI, no
      SELinux denials for system_server to do with sysfs_leds.
Bug: 34715716

Change-Id: Iccb4224d770583e3c38930e8562723d57d283077
---
 public/system_server.te | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/public/system_server.te b/public/system_server.te
index 61f640dff..aef97b54e 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -4,9 +4,6 @@
 #
 type system_server, domain, domain_deprecated, mlstrustedsubject;
 
-# Attributes for passthrough hals
-typeattribute system_server hal_light;
-
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 allow system_server dalvikcache_data_file:file { r_file_perms execute };
@@ -610,6 +607,13 @@ r_dir_file(system_server, sysfs_type)
 # Allow system_server to make binder calls to hwservicemanager
 binder_call(system_server, hwservicemanager)
 
+### Rules needed when Light HAL runs inside system_server process.
+### These rules should eventually be granted only when needed.
+allow system_server sysfs_leds:lnk_file read;
+allow system_server sysfs_leds:file rw_file_perms;
+allow system_server sysfs_leds:dir r_dir_perms;
+###
+
 userdebug_or_eng(`
   # Allow WifiService to start, stop, and read wifi-specific trace events.
   allow system_server debugfs_tracing_instances:dir search;
-- 
GitLab