Switch Dumpstate HAL policy to _client/_server

This switches Dumpstate HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Dumpstate HAL. Domains which are clients of Dumpstate HAL, such as dumpstate domain, are granted rules targeting hal_dumpstate only when the Dumpstate HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_dumpstate are not granted to client domains. Domains which offer a binderized implementation of Dumpstate HAL, such as hal_dumpstate_default domain, are always granted rules targeting hal_dumpstate. Test: adb bugreport Test: Take bugreport through system UI Bug: 34170079 Change-Id: I3e827534af03cdfa876921c5fa4af3a53025ba27

Switch Dumpstate HAL policy to _client/_server
47174e3b · Alex Klyubin · d68aae65 · 47174e3b · 47174e3b · 47174e3b
Commit 47174e3b authored 8 years ago by Alex Klyubin
--- a/public/attributes
+++ b/public/attributes
@@ -138,6 +138,8 @@ attribute hal_drm;
 attribute hal_drm_client;
 attribute hal_drm_server;
 attribute hal_dumpstate;
+attribute hal_dumpstate_client;
+attribute hal_dumpstate_server;
 attribute hal_fingerprint;
 attribute hal_fingerprint_client;
 attribute hal_fingerprint_server;

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -89,10 +89,8 @@ binder_call(dumpstate, { appdomain netd wificond })

 # Vibrate the device after we are done collecting the bugreport
 # For binderized mode:
-hwbinder_use(dumpstate)
-binder_call(dumpstate, hal_dumpstate)
+hal_client_domain(dumpstate, hal_dumpstate)
 binder_call(dumpstate, hal_vibrator)
-binder_call(dumpstate, hwservicemanager)
 # For passthrough mode:
 allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };


--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
-# call into dumpstate process (callbacks)
-binder_call(hal_dumpstate, dumpstate)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_dumpstate_client, hal_dumpstate_server)
+binder_call(hal_dumpstate_server, hal_dumpstate_client)

 # write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
 allow hal_dumpstate shell_data_file:file write;
--- a/vendor/hal_dumpstate_default.te
+++ b/vendor/hal_dumpstate_default.te
 type hal_dumpstate_default, domain;
-hal_impl_domain(hal_dumpstate_default, hal_dumpstate)
+hal_server_domain(hal_dumpstate_default, hal_dumpstate)

 type hal_dumpstate_default_exec, exec_type, file_type;
 init_daemon_domain(hal_dumpstate_default)