From 41518bec2508c85eb8797980321d3912b4598261 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 13 Mar 2017 15:13:52 -0700
Subject: [PATCH] Switch Sensors HAL policy to _client/_server

This switches Sensors HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Sensors HAL.

Domains which are clients of Sensors HAL, such as system_server, are
granted rules targeting hal_sensors only when the Sensors HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_sensors are
not granted to client domains.

Domains which offer a binderized implementation of Sensors HAL, such
as hal_sensors_default domain, are always granted rules targeting
hal_sensors.

P. S. This commit also removes
  allow system_server sensors_device:chr_file rw_file_perms
because this is device-specific and thus not needed in device-agnostic
policy. The device-specific policy of the affected devices already has
this rule.

Test: Device boots, no new denials
Test: adb shell dumpsys sensorservice
      lists tons of sensors
Test: Proprietary sensors test app indicates that there are sensors
      and that the app can register to listen for updates for sensors
      and that such updates arrive to the app.
Bug: 34170079
Change-Id: I61bf779070eabcb64ae73724d62b6e837319a668
---
 private/system_server.te      | 5 +----
 public/attributes             | 2 ++
 public/hal_sensors.te         | 7 +++++--
 vendor/hal_sensors_default.te | 2 +-
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/private/system_server.te b/private/system_server.te
index 294ceb4fe..d78c57682 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -182,7 +182,7 @@ binder_call(system_server, hal_ir)
 binder_call(system_server, hal_light)
 binder_call(system_server, hal_memtrack)
 binder_call(system_server, hal_power)
-binder_call(system_server, hal_sensors)
+hal_client_domain(system_server, hal_sensors)
 binder_call(system_server, hal_thermal)
 binder_call(system_server, hal_usb)
 binder_call(system_server, hal_vibrator)
@@ -453,9 +453,6 @@ allow system_server cache_private_backup_file:file create_file_perms;
 allow system_server usb_device:chr_file rw_file_perms;
 allow system_server usb_device:dir r_dir_perms;
 
-# Allow system to talk to sensors
-allow system_server sensors_device:chr_file rw_file_perms;
-
 # Read from HW RNG (needed by EntropyMixer).
 allow system_server hw_random_device:chr_file r_file_perms;
 
diff --git a/public/attributes b/public/attributes
index 171ebd8a9..d26f7eee8 100644
--- a/public/attributes
+++ b/public/attributes
@@ -160,6 +160,8 @@ attribute hal_memtrack;
 attribute hal_nfc;
 attribute hal_power;
 attribute hal_sensors;
+attribute hal_sensors_client;
+attribute hal_sensors_server;
 attribute hal_telephony;
 attribute hal_thermal;
 attribute hal_usb;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 0f52ff55d..0d6dfe077 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -1,2 +1,5 @@
-#Allow sensor hals to access ashmem memory allocated by apps
-allow hal_sensors {appdomain - isolated_app}:fd use;
+# HwBinder IPC from client to server
+binder_call(hal_sensors_client, hal_sensors_server)
+
+# Allow sensor hals to access ashmem memory allocated by apps
+allow hal_sensors { appdomain -isolated_app }:fd use;
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 3c3a104a6..b4c9a8632 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -1,5 +1,5 @@
 type hal_sensors_default, domain;
-hal_impl_domain(hal_sensors_default, hal_sensors)
+hal_server_domain(hal_sensors_default, hal_sensors)
 
 type hal_sensors_default_exec, exec_type, file_type;
 init_daemon_domain(hal_sensors_default)
-- 
GitLab