From 60e8886c1f4e27b15b53dee405cc4ba41be802be Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Thu, 10 Nov 2016 09:17:13 -0800
Subject: [PATCH] health: add sepolicy for health hal service

Test: tested with default health HAL on angler running as service.
Bug: b/32754732

Change-Id: Ie0b70d43cb23cd0878e1b7b99b9bebdbd70d17c7
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit ef62fd91591c0f267bc536257d698e43d36ea546)
---
 private/file_contexts |  1 +
 private/hal_health.te |  2 ++
 public/hal_health.te  | 14 ++++++++++++++
 public/healthd.te     |  1 +
 4 files changed, 18 insertions(+)
 create mode 100644 private/hal_health.te
 create mode 100644 public/hal_health.te

diff --git a/private/file_contexts b/private/file_contexts
index ddaa5aeea..678fd05c4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -233,6 +233,7 @@
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0
 /system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service    u:object_r:hal_graphics_composer_default_exec:s0
+/system/bin/hw/android\.hardware\.health@1\.0-service         u:object_r:hal_health_exec:s0
 /system/bin/hw/android\.hardware\.ir@1\.0-service             u:object_r:hal_ir_default_exec:s0
 /system/bin/hw/android\.hardware\.light@2\.0-service          u:object_r:hal_light_default_exec:s0
 /system/bin/hw/android\.hardware\.memtrack@1\.0-service       u:object_r:hal_memtrack_default_exec:s0
diff --git a/private/hal_health.te b/private/hal_health.te
new file mode 100644
index 000000000..93115b035
--- /dev/null
+++ b/private/hal_health.te
@@ -0,0 +1,2 @@
+# may be started by init
+init_daemon_domain(hal_health)
diff --git a/public/hal_health.te b/public/hal_health.te
new file mode 100644
index 000000000..2b498a29a
--- /dev/null
+++ b/public/hal_health.te
@@ -0,0 +1,14 @@
+# health info abstraction
+type hal_health, domain;
+type hal_health_exec, exec_type, file_type;
+
+# hwbinder access
+hwbinder_use(hal_health)
+
+# call into healthd for callbacks
+binder_call(hal_health, healthd)
+
+# Read access to system files for HALs in
+# /{system,vendor,odm}/lib[64]/hw/ in order
+# to be able to open the hal implementation .so files
+r_dir_file(hal_health, system_file)
diff --git a/public/healthd.te b/public/healthd.te
index 482eaeeb2..8d71cfd33 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -24,6 +24,7 @@ binder_use(healthd)
 binder_service(healthd)
 binder_call(healthd, system_server)
 binder_call(healthd, hwservicemanager)
+binder_call(healthd, hal_health)
 
 allow healthd sysfs_batteryinfo:file r_file_perms;
 allow healthd batteryproperties_service:service_manager { add find };
-- 
GitLab