From 72d18125c1fadceff865da93cef7bb435792b189 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Thu, 15 Dec 2016 12:49:38 -0800
Subject: [PATCH] Sepolicy for allocator hal.

Bug: 32123421
Test: full build/test of allocator hal using hidl_test
Change-Id: I253b4599b6fe6e7f4a2f5f55b34cdeed9e5d769b
---
 private/file_contexts    | 1 +
 private/hal_allocator.te | 1 +
 public/hal_allocator.te  | 6 ++++++
 public/te_macros         | 8 ++++++++
 4 files changed, 16 insertions(+)
 create mode 100644 private/hal_allocator.te
 create mode 100644 public/hal_allocator.te

diff --git a/private/file_contexts b/private/file_contexts
index 95293f79a..c081f5b40 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -244,6 +244,7 @@
 /system/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0
 /system/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /system/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
+/system/bin/hw/android\.hidl\.memory@1\.0-service             u:object_r:hal_allocator_exec:s0
 
 #############################
 # Vendor files
diff --git a/private/hal_allocator.te b/private/hal_allocator.te
new file mode 100644
index 000000000..d185d490d
--- /dev/null
+++ b/private/hal_allocator.te
@@ -0,0 +1 @@
+init_daemon_domain(hal_allocator)
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
new file mode 100644
index 000000000..784bacbce
--- /dev/null
+++ b/public/hal_allocator.te
@@ -0,0 +1,6 @@
+# allocator subsystem
+type hal_allocator, domain;
+type hal_allocator_exec, exec_type, file_type;
+
+# hwbinder access
+hwbinder_use(hal_allocator)
diff --git a/public/te_macros b/public/te_macros
index 2dca5e2e9..60c7a1a1b 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -222,6 +222,14 @@ define(`binder_service', `
 typeattribute $1 binderservicedomain;
 ')
 
+#####################################
+# hwallocator_use(domain)
+# Allow a domain to use Hidl shared memory
+define(`hwallocator_use', `
+# Call into the allocator hal
+binder_call($1, hal_allocator);
+'')
+
 #####################################
 # wakelock_use(domain)
 # Allow domain to manage wake locks
-- 
GitLab