Apps and system_server are gralloc HAL clients

This commit marks system_server and app domains (except isolated_app) as clients of Graphics Allocator HAL. This makes the policy cleaner and prepares ground for restricting access to HwBinder services. Test: Play video in YouTube app and in Google Chrome YouTube web page Test: Using Google Camera app, take an HDR+ photo, a conventional photo, record a video with sound and a slow motion video with sound, then check that photos look good and videos play back fine, including sound. Bug: 34454312 Change-Id: Iea04d38fa5520432f06af94570fa6ce16ed7979a

Apps and system_server are gralloc HAL clients
5007c10a · Alex Klyubin · 0d1b2ce1 · 5007c10a · 5007c10a · 5007c10a
Commit 5007c10a authored 7 years ago by Alex Klyubin
--- a/private/app.te
+++ b/private/app.te
@@ -270,9 +270,6 @@ auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write app
 # TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
 get_prop({ appdomain -isolated_app }, hwservicemanager_prop);

-# Allow app to access the graphic allocator HAL
-binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
-
 # Allow app access to mediacodec (IOMX HAL)
 binder_call({ appdomain -isolated_app }, mediacodec)


--- a/private/system_server.te
+++ b/private/system_server.te
@@ -175,7 +175,7 @@ hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)
 binder_call(system_server, hal_gnss)
 hal_client_domain(system_server, hal_gnss)
-binder_call(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_graphics_allocator)
 binder_call(system_server, hal_ir)
 hal_client_domain(system_server, hal_ir)
 binder_call(system_server, hal_light)
@@ -627,7 +627,6 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi

 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
-allow system_server hal_graphics_allocator:fd use;

 r_dir_file(system_server, proc)
 r_dir_file(system_server, proc_meminfo)

--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -12,6 +12,11 @@
 (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
 (typeattributeset halclientdomain (hal_allocator_client))

+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Domains hosting Camera HAL implementations are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute hal_camera hal_allocator_client;