diff --git a/private/app.te b/private/app.te
index b41ebec49be13471f77970fa0bdf1d8666d2ef79..04f2f6520834c1d13c9cd710cbb979e1f8610764 100644
--- a/private/app.te
+++ b/private/app.te
@@ -69,6 +69,9 @@ allow appdomain appdomain:fifo_file rw_file_perms;
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+# Query whether a Surface supports wide color
+allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
# App sandbox file accesses.
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
@@ -174,9 +177,11 @@ binder_call(appdomain, appdomain)
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
-# hidl access for mediacodec
-# TODO(b/34454312): only allow getting and talking to mediacodec service
-hwbinder_use(appdomain)
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
@@ -277,6 +282,9 @@ binder_call({ appdomain -isolated_app }, mediacodec)
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 25e5c81e3161addfe5bb9f97b3f9398ed5a51f63..4742a5b43b0e9828d43d9b0bc4b36a4da31cacde 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -57,7 +57,6 @@ allow bluetooth system_api_service:service_manager find;
allow bluetooth shell_data_file:file read;
hal_client_domain(bluetooth, hal_bluetooth)
-binder_call(bluetooth, hal_telephony)
hal_client_domain(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth)
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
index d4bdef93d62e1c230b2e4db02afd7ddee1b5a4a2..9dcd3ee3846a74094ad45970754e76405846f626 100644
--- a/private/halclientdomain.te
+++ b/private/halclientdomain.te
@@ -8,3 +8,6 @@ hwbinder_use(halclientdomain)
# Used to wait for hwservicemanager
get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9330041a708b0979c1e03be551923e37368e8abe..9ecf69f1c0691556ee168887220ebff02e883cf9 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,2 +1,51 @@
-android.hardware.camera.provider::ICameraProvider u:object_r:hw_camera_provider_ICameraProvider:s0
-* u:object_r:default_android_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
+android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
+android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
+android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
+android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 627b93f5f532bfd262a48686513873503127d9f5..a43eb020631f5d4538b090935893937d1e79785b 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -1,3 +1,6 @@
typeattribute hwservicemanager coredomain;
init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/private/keystore.te b/private/keystore.te
index 6aa888429255afbd4cc7edc8bf27c536b55afd33..a9647c63104c5387f7b540e7fea7b6e0f28afccb 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,3 +1,10 @@
typeattribute keystore coredomain;
init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 08c3f9b2c7b1013da64e8c861be8f4b4b2529585..a9b85be0cb1f90bed7a3a85b19daeb09f9e3ef4b 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -4,3 +4,7 @@ init_daemon_domain(mediaserver)
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index eeea1852db1e463e111b46e073a3a5b009624679..3e91d2115a96826b2eabef7e3e018a6e1fdfec1e 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -10,11 +10,11 @@ typeattribute surfaceflinger mlstrustedsubject;
read_runtime_log_tags(surfaceflinger)
# Perform HwBinder IPC.
-hwbinder_use(surfaceflinger)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
-binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_configstore)
+allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
binder_use(surfaceflinger)
diff --git a/private/system_server.te b/private/system_server.te
index 89b14a926c72cfdd1ed53f99fc8859d0cd7e5e2f..3dee16a42f82d9b6fd91b71e977c21115002d8dc 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -170,39 +170,29 @@ binder_call(system_server, netd)
binder_call(system_server, wificond)
binder_service(system_server)
-# Perform HwBinder IPC.
-hwbinder_use(system_server)
+# Use HALs
hal_client_domain(system_server, hal_allocator)
-binder_call(system_server, hal_contexthub)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
-binder_call(system_server, hal_gnss)
hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator)
-binder_call(system_server, hal_ir)
hal_client_domain(system_server, hal_ir)
-binder_call(system_server, hal_light)
hal_client_domain(system_server, hal_light)
-binder_call(system_server, hal_memtrack)
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_oemlock)
-binder_call(system_server, hal_power)
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors)
-binder_call(system_server, hal_thermal)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_input)
-binder_call(system_server, hal_usb)
hal_client_domain(system_server, hal_usb)
-binder_call(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vibrator)
-binder_call(system_server, hal_vr)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver)
hal_client_domain(system_server, hal_wifi)
hal_client_domain(system_server, hal_wifi_offload)
-
hal_client_domain(system_server, hal_wifi_supplicant)
binder_call(system_server, mediacodec)
@@ -210,6 +200,13 @@ binder_call(system_server, mediacodec)
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
# Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
@@ -640,9 +637,6 @@ r_dir_file(system_server, proc_net)
r_dir_file(system_server, rootfs)
r_dir_file(system_server, sysfs_type)
-# Allow system_server to make binder calls to hwservicemanager
-binder_call(system_server, hwservicemanager)
-
### Rules needed when Light HAL runs inside system_server process.
### These rules should eventually be granted only when needed.
allow system_server sysfs_leds:lnk_file read;
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
index 51d24206197e7a00519da1e6a0c285b6d6e4bc8b..053c03d9867da94abbd7a32c1bce1a7586b6fa8d 100644
--- a/private/vr_hwc.te
+++ b/private/vr_hwc.te
@@ -2,3 +2,5 @@ typeattribute vr_hwc coredomain;
# Daemon started by init.
init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 2a243cc5ed20c67b1f8c8f4660ff735a6ec156e5..0dd4a80ce16b1e8d88531b5ce16c406f59d80871 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,7 +8,6 @@ binder_call(cameraserver, appdomain)
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
-allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
hal_client_domain(cameraserver, hal_graphics_allocator)
@@ -27,6 +26,8 @@ allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
###
### neverallow rules
###
diff --git a/public/domain.te b/public/domain.te
index 64539781d5372fb2e548112f84f33891632aec8e..886a499b7a3568d316a585769ca24a3a62f6bcae 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -212,8 +212,6 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-# TODO(b/34454312) remove this when the correct policy is in place
-allow domain default_android_hwservice:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
# when it's not explicitly used in allow rules
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
@@ -433,6 +431,22 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set
# from service name to service_type are defined in service_contexts.
neverallow * default_android_service:service_manager add;
+# Do not allow hwservice_manager add for default_android_hwservice.
+# Instead domains should use a more specific type such as
+# hal_audio_hwservice rather than the generic type.
+# New service_types are defined in hwservice.te and new mappings
+# from service name to service_type are defined in hwservice_contexts.
+neverallow * default_android_hwservice:hwservice_manager { add find };
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init } default_prop:property_service set;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3322e14680372b06ec30c15d2973289ae422466a..7cecdbf884e75adeabc52f1d8b0562ddabed21d0 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -94,10 +94,8 @@ r_dir_file(dumpstate, cgroup)
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
-# Vibrate the device after we are done collecting the bugreport
-# For binderized mode:
hal_client_domain(dumpstate, hal_dumpstate)
-binder_call(dumpstate, hal_vibrator)
+# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index b444593ba3b554f8feac6a87acf6d931de691329..646cebdebec48a251147e2e8d984b95102e70ccc 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -1,2 +1,6 @@
# HwBinder IPC from client to server
binder_call(hal_allocator_client, hal_allocator_server)
+
+add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 3531944a00d693e958f04e0454ef8983fc8c275a..9539ff40f3b04f9e3bf6d88e1ae2a4d7cef01983 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -2,6 +2,9 @@
binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client)
+add_hwservice(hal_audio_server, hal_audio_hwservice)
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+
allow hal_audio ion_device:chr_file r_file_perms;
userdebug_or_eng(`
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 46fd9d718935125143ea5f03478a5220cd44c6e9..c04cd0865836f9e4e9cffddd0432405e4f332014 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -2,6 +2,9 @@
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
+add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
+allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+
wakelock_use(hal_bluetooth);
# The HAL toggles rfkill to power the chip off/on.
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index b731fd69d5c70869c29a282ff517821902af7800..8b240b1ce3013649202b0908dddf63b5e905e630 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -1,3 +1,6 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)
+
+add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
+allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index a00bf9f4244beb35ed214494d4a39aa6ffa28c4c..b77ff3a4d8dc41e6f48bb9e62db9c2351d12c712 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,7 +2,8 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
-add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+add_hwservice(hal_camera_server, hal_camera_hwservice)
+allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 1a8b88b3ba215950d1c2a9cc2043324b973ef9a9..4bf6cfd522748f0d4db61f771e737059dec4e18a 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,2 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)
+
+add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
+# As opposed to the rules of most other HALs, the different services exposed by
+# this HAL should be restricted to different clients. Thus, the allow rules for
+# clients are defined in the .te files of the clients.
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index d991e9dfef10076d00fc88a58b3b68b64d9f1580..f11bfc816e0e48820181b36b9b93c5b16cceb92f 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_contexthub, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
+allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index a773dd5fc80a70c1e3dbdb2d616d08b127cbbe52..2600843f681f58787a696aa72071dc6a3a724438 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -2,6 +2,11 @@
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
+add_hwservice(hal_drm_server, hal_drm_hwservice)
+allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 884b6fc2e41f7bae849c24b5605dfc8cfc523976..2853567e0c2b2b4d5bb7bf968d1faf374a9e40ea 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,6 +2,9 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
+add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
+allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 580ef3796356f74e0c7c378eef8310ef63d6339b..bef9f556ee8a94519e5ff1bb540d52234b577233 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -2,6 +2,9 @@
binder_call(hal_fingerprint_client, hal_fingerprint_server)
binder_call(hal_fingerprint_server, hal_fingerprint_client)
+add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
+allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+
# allow HAL module to read dir contents
allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 618a2ee643256c326e6ace9d6dfc3a8df93eb5e0..123acf5674f26f776fbe82eadff8aa8bcd4c4c8a 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,5 +1,8 @@
binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
+add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
+allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 753791bbff734bfb94dee4e6ad676a82b04caf1f..b59cd1d5a6aba07027b153b15273f9c5b86ee358 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -1 +1,6 @@
-binder_call(hal_gnss, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+add_hwservice(hal_gnss_server, hal_gnss_hwservice)
+allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index e434751490d300503cc49e9dc83e9eb112e8667c..5f2f098cacd4e6c6a96bd06e9a7473cfad92bb50 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,6 +1,10 @@
# HwBinder IPC from client to server
binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 9ba0bdb17b34b79fea0571562b3aaae391cfc40c..2d8483d3c5616e738106299226a14db3da6485c3 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -1,5 +1,9 @@
-# IComposerCallback
-binder_call(hal_graphics_composer, surfaceflinger)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+
+add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
+allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
diff --git a/public/hal_health.te b/public/hal_health.te
index 341efdd2006e99925ec80cb9cae4b8795852d7a9..c19c5f1d78f8e931b1c02d8b4294d2936c43997a 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -1,5 +1,9 @@
-# call into healthd for callbacks
-binder_call(hal_health, healthd)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+add_hwservice(hal_health_server, hal_health_hwservice)
+allow hal_health_client hal_health_hwservice:hwservice_manager find;
# Read access to system files for HALs in
# /{system,vendor,odm}/lib[64]/hw/ in order
diff --git a/public/hal_ir.te b/public/hal_ir.te
index adfb5ae18b17306c77d577cba5750122658dda42..b1bfdd804b144b92c786e34f5a6b7ceebc3868b0 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_ir, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+add_hwservice(hal_ir_server, hal_ir_hwservice)
+allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index afcd0bd9ddd47f9480f916a24003895dc6b42873..dc5f6d01d15ea48f280c0be36162699246245bc1 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,5 +1,8 @@
# HwBinder IPC from client to server
binder_call(hal_keymaster_client, hal_keymaster_server)
+add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
+allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
index 145b02e7f68af0504d39ba7743dd1d2a3f193aa7..5b93dd115fd478a1c9a396ca898ca1f688f16ac4 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_light, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+add_hwservice(hal_light_server, hal_light_hwservice)
+allow hal_light_client hal_light_hwservice:hwservice_manager find;
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file rw_file_perms;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
new file mode 100644
index 0000000000000000000000000000000000000000..b2cc9cd1ec730b2feb27ef098da2329b9319be9e
--- /dev/null
+++ b/public/hal_memtrack.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
+allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index d289ef7f716446117dd19660b45c34f8f48bdf70..349dea6a3863fc13ba982407320d6da279bf7afe 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -2,6 +2,9 @@
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
+add_hwservice(hal_nfc_server, hal_nfc_hwservice)
+allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index 69870ec29a0e1d9b0a7195eae78aeb8ddc3e094f..3fb5a18713647337e79ab91ca7a05645f113f241 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -1,2 +1,5 @@
# HwBinder IPC from client to server
binder_call(hal_oemlock_client, hal_oemlock_server)
+
+add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
+allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
diff --git a/public/hal_power.te b/public/hal_power.te
new file mode 100644
index 0000000000000000000000000000000000000000..fcba3d25dadd72ec7b502f2fbd16dce706f6b71b
--- /dev/null
+++ b/public/hal_power.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+add_hwservice(hal_power_server, hal_power_hwservice)
+allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 567b0bee1a92046e1118e39a297cc574998b0fa0..3cf3069ce62881a1e8230b9de2a97e2aa9a3958a 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -1,6 +1,9 @@
# HwBinder IPC from client to server
binder_call(hal_sensors_client, hal_sensors_server)
+add_hwservice(hal_sensors_server, hal_sensors_hwservice)
+allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 704adc096da01bf9430ab5391c6309a766133cff..41cfd4bf3fa76cbdfdf7c94d974465975af46d0a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -1,3 +1,7 @@
-# Perform HwBinder IPC.
-binder_call(hal_telephony, radio)
-binder_call(hal_telephony, bluetooth)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+add_hwservice(hal_telephony_server, hal_telephony_hwservice)
+allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index a59a97885a6e166e32cce8f85809c3a0c103351b..b1764f114c9862ce0eb3abf118bfe0fb428c374a 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_thermal, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+add_hwservice(hal_thermal_server, hal_thermal_hwservice)
+allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
index aa85b926e528fe188980c98d746974348122c1ec..7719cae92092228bb3c4d52551d7980654d0aae1 100644
--- a/public/hal_tv_cec.te
+++ b/public/hal_tv_cec.te
@@ -1,3 +1,6 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_tv_cec_client, hal_tv_cec_server)
binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
+allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 5276ddfeaaec37b43e15a3860e7107abf947a623..31a006740da1fd891ae90c2711ba3c18f0770f4e 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -1,3 +1,6 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_tv_input_client, hal_tv_input_server)
binder_call(hal_tv_input_server, hal_tv_input_client)
+
+add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
+allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 5c31c065c96c8c213082c93817f9d26a917c8bc3..9cfd5165d282b0ea21acddda9574b68e7443e4bf 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_usb, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+add_hwservice(hal_usb_server, hal_usb_hwservice)
+allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
allow hal_usb self:netlink_kobject_uevent_socket create;
allow hal_usb self:netlink_kobject_uevent_socket setopt;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 0d9d308dfd3cc252d67b340e371fee25927c602c..c8612d77a3bd76b0283be5ffc440fd16f34a0a99 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,2 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+
+add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
+allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 08102ad800da2acedc9e6230cdb001f990f495f4..3cb392d144f5985aba44c335c5d1a3d14866ff95 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -1,2 +1,6 @@
-# call into system_server process
-binder_call(hal_vr, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+add_hwservice(hal_vr_server, hal_vr_hwservice)
+allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index 78d2b75531320156a809e69652df426e45c02c69..b80ba292c6eb7e1fc710a9ca366db3674f3585ad 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -1,2 +1,5 @@
# HwBinder IPC from client to server
binder_call(hal_weaver_client, hal_weaver_server)
+
+add_hwservice(hal_weaver_server, hal_weaver_hwservice)
+allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index e06d8f9b08d8ab2d88a2273ef55e89635f9a46d6..5e0b9bc49030b670f8e02bcab4f041c11d30cd17 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -2,6 +2,9 @@
binder_call(hal_wifi_client, hal_wifi_server)
binder_call(hal_wifi_server, hal_wifi_client)
+add_hwservice(hal_wifi_server, hal_wifi_hwservice)
+allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+
r_dir_file(hal_wifi, proc_net)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index dac5171b1e6c4d30923c0fcf77c7e4314e7fc75c..dc0cf5a7316beb41d563c1627b923a8d48eb048d 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -2,5 +2,8 @@
binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
+add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
+allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
+
r_dir_file(hal_wifi_offload, proc_net)
r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 49ce4fa6e540b7f11935f19b01baf23df61b8feb..0f2540e40d9804264b832cd392efc7bf6c75f5d8 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -2,6 +2,9 @@
binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
+allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/healthd.te b/public/healthd.te
index 8737dbe5f5b2b9064775cd6a10929aaac8262835..c0a7bec7bd3d5f02f6562ba0090852e929901c79 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -24,8 +24,6 @@ wakelock_use(healthd)
binder_use(healthd)
binder_service(healthd)
binder_call(healthd, system_server)
-binder_call(healthd, hwservicemanager)
-binder_call(healthd, hal_health)
hal_client_domain(healthd, hal_health)
# Write to state file.
diff --git a/public/hwservice.te b/public/hwservice.te
index cf596294297d60c52825ce5bd990158689a0f8b9..8b641fb6ad81584cc91fec9f44afff9717cea40b 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,2 +1,45 @@
-type default_android_hwservice, hwservice_manager_type;
-type hw_camera_provider_ICameraProvider, hwservice_manager_type;
+type default_android_hwservice, hwservice_manager_type;
+type fwk_scheduler_hwservice, hwservice_manager_type;
+type fwk_sensor_hwservice, hwservice_manager_type;
+type hal_audio_hwservice, hwservice_manager_type;
+type hal_bluetooth_hwservice, hwservice_manager_type;
+type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_camera_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_contexthub_hwservice, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_fingerprint_hwservice, hwservice_manager_type;
+type hal_gatekeeper_hwservice, hwservice_manager_type;
+type hal_gnss_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_composer_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type;
+type hal_health_hwservice, hwservice_manager_type;
+type hal_ir_hwservice, hwservice_manager_type;
+type hal_keymaster_hwservice, hwservice_manager_type;
+type hal_light_hwservice, hwservice_manager_type;
+type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_nfc_hwservice, hwservice_manager_type;
+type hal_oemlock_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_power_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type;
+type hal_sensors_hwservice, hwservice_manager_type;
+type hal_telephony_hwservice, hwservice_manager_type;
+type hal_thermal_hwservice, hwservice_manager_type;
+type hal_tv_cec_hwservice, hwservice_manager_type;
+type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_usb_hwservice, hwservice_manager_type;
+type hal_vibrator_hwservice, hwservice_manager_type;
+type hal_vr_hwservice, hwservice_manager_type;
+type hal_weaver_hwservice, hwservice_manager_type;
+type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_offload_hwservice, hwservice_manager_type;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type;
+type hidl_memory_hwservice, hwservice_manager_type;
+type hidl_token_hwservice, hwservice_manager_type;
+type system_wifi_keystore_hwservice, hwservice_manager_type;
diff --git a/public/keystore.te b/public/keystore.te
index 378949a987539602bed96d68068b1b2549f8bcf0..2c3118510a4ae7facd99c1dabbaa716e9de6bbee 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -7,13 +7,6 @@ binder_use(keystore)
binder_service(keystore)
binder_call(keystore, system_server)
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# Offer the Wifi Keystore HwBinder service
-hwbinder_use(keystore)
-typeattribute keystore wifi_keystore_service_server;
-
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 3445c7a62dc2554bd12c98fc370d8b7376824bea..5c1ccbf5294bc2ddfc56fc387e8e45d18b2bdaeb 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -34,6 +34,8 @@ allow mediacodec hal_camera:fd use;
crash_dump_fallback(mediacodec)
+add_hwservice(mediacodec, hal_omx_hwservice)
+
hal_client_domain(mediacodec, hal_allocator)
# allocate and use graphic buffers
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 8c9ef31f2871fc35a82c9a7e87a361e6020e5f94..cf539f8ee3223d2aace74fe2b710190ad011fd18 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -95,6 +95,9 @@ allow mediaserver surfaceflinger_service:service_manager find;
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
+# For interfacing with OMX HAL
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
diff --git a/public/radio.te b/public/radio.te
index 8c3c6a5a35728c4ce5b15c90ac40bf40e1bd64ba..f5604fd43d7ab4398bdda638f0c9306bf81f8ac8 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -37,5 +37,4 @@ allow radio system_api_service:service_manager find;
# Perform HwBinder IPC.
hwbinder_use(radio)
-binder_call(radio, hal_telephony)
hal_client_domain(radio, hal_telephony)
diff --git a/public/te_macros b/public/te_macros
index beec54640aaaef079c848cd8e996ccd8e8a2e579..661585aa1413daac3e2f0a17a6be591b3de0a053 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -509,6 +509,7 @@ define(`add_service', `
# others from adding it.
define(`add_hwservice', `
allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
')
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 8f86a2717f615882ce7b895b7af3f5fd7d410822..239e5c19bd338ea09b258b3423ae95541ab06dc0 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -3,3 +3,5 @@ hal_server_domain(hal_camera_default, hal_camera)
type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
+
+allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 5ba4aaba2c19b4a6a0e21e4cc2a936bcbac0de89..8379c8279d55d23d9e117cc72995e0dac4ab9887 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -3,3 +3,5 @@ hal_server_domain(hal_sensors_default, hal_sensors)
type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_sensors_default)
+
+allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 62b03be4abcdf1cce9321b432b115308b6416fb0..8d7069c964072d454bd70341a94d24bc6a479371 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -10,4 +10,5 @@ type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "socke
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)
+allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)