Assign su as a client to all HAL domains

VTS testing is intended to be run on userdebug builds with: 1. Tests running in the permissive su domain. 2. HALs running in enforcing mode (i.e. setenforce 1). As such su needs to be a client to every HAL. Example: hal_tetheroffload_server has permission to receive and use a netlink_netfilter_socket from hal_tetheroffload_client (currently system_server). Before declaring su as hal_tetheroffload_client VTS tests were failing with the following denials: avc: denied { setopt } for comm="HwBinder:843_1" scontext=u:r:hal_tetheroffload_default:s0 tcontext=u:r:su:s0 tclass=netlink_netfilter_socket avc: denied { read write } for comm="VtsHalTetheroff" path="socket:[216191]" dev="sockfs" ino=216191 scontext=u:r:hal_tetheroffload_default:s0 tcontext=u:r:su:s0 tclass=netlink_netfilter_socket avc: denied { getattr } for comm="HwBinder:843_1" scontext=u:r:hal_tetheroffload_default:s0 tcontext=u:r:su:s0 tclass=netlink_netfilter_socketsu acting as client to hal_tetheroffload_server passes it a netlink_netfilter_socket, permissions which are already granted to hal_tetheroffload_client With su declared as hal_tetheroffload_client tests pass as expected. Bug: 36792117 Test: build Change-Id: If2d3978eee0f96e50ad0c0cc6afc0f18b2d264f2

Assign su as a client to all HAL domains
67531bbd · Jeff Vander Stoep · 6f92d408 · 67531bbd
Commit 67531bbd authored Jul 28, 2017 by Jeff Vander Stoep
--- a/public/su.te
+++ b/public/su.te
@@ -50,4 +50,47 @@ userdebug_or_eng(`
  dontaudit su domain:drmservice *;
  dontaudit su unlabeled:filesystem *;
  dontaudit su postinstall_file:filesystem *;
+  # VTS tests run in the permissive su domain on debug builds, but the HALs
+  # being tested run in enforcing mode. Because hal_foo_server is enforcing
+  # su needs to be declared as hal_foo_client to grant hal_foo_server
+  # permission to interact with it.
+  typeattribute su halclientdomain;
+  typeattribute su hal_allocator_client;
+  typeattribute su hal_audio_client;
+  typeattribute su hal_bluetooth_client;
+  typeattribute su hal_bootctl_client;
+  typeattribute su hal_camera_client;
+  typeattribute su hal_configstore_client;
+  typeattribute su hal_contexthub_client;
+  typeattribute su hal_drm_client;
+  typeattribute su hal_cas_client;
+  typeattribute su hal_dumpstate_client;
+  typeattribute su hal_fingerprint_client;
+  typeattribute su hal_gatekeeper_client;
+  typeattribute su hal_gnss_client;
+  typeattribute su hal_graphics_allocator_client;
+  typeattribute su hal_graphics_composer_client;
+  typeattribute su hal_health_client;
+  typeattribute su hal_ir_client;
+  typeattribute su hal_keymaster_client;
+  typeattribute su hal_light_client;
+  typeattribute su hal_memtrack_client;
+  typeattribute su hal_neuralnetworks_client;
+  typeattribute su hal_nfc_client;
+  typeattribute su hal_oemlock_client;
+  typeattribute su hal_power_client;
+  typeattribute su hal_sensors_client;
+  typeattribute su hal_telephony_client;
+  typeattribute su hal_tetheroffload_client;
+  typeattribute su hal_thermal_client;
+  typeattribute su hal_tv_cec_client;
+  typeattribute su hal_tv_input_client;
+  typeattribute su hal_usb_client;
+  typeattribute su hal_vibrator_client;
+  typeattribute su hal_vr_client;
+  typeattribute su hal_weaver_client;
+  typeattribute su hal_wifi_client;
+  typeattribute su hal_wifi_offload_client;
+  typeattribute su hal_wifi_supplicant_client;
 ')