add selinux policy for GNSS hal

The following are the avc denials that are addressed: avc: denied { call } for pid=889 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:hal_gnss_default:s0 tclass=binder permissive=0 avc: denied { call } for scontext=u:r:hal_gnss_default:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=0 avc: denied { read } for name="hw" dev="mmcblk0p43" ino=1837 scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: denied { open } for path="/system/lib64/hw" dev="mmcblk0p43" ino=1837 scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 Bug:31974439 Test: Checked that there no more related avc denial messages related to the GNSS HAL in dmesg. Change-Id: I5b43dc088017a5568dd8e442726d2bf52e95b1d5

add selinux policy for GNSS hal
953c4396 · Hridya Valsaraju · 9e7a5b0a · 953c4396 · 953c4396 · 953c4396
Commit 953c4396 authored 8 years ago by Hridya Valsaraju
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -240,6 +240,7 @@
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
 /system/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
 /system/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
+/system/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0
 /system/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0
 /system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service    u:object_r:hal_graphics_composer_default_exec:s0
 /system/bin/hw/android\.hardware\.health@1\.0-service         u:object_r:hal_health_default_exec:s0

--- a/private/hal_gnss_default.te
+++ b/private/hal_gnss_default.te
+type hal_gnss_default, hal_gnss, domain;
+type hal_gnss_default_exec, exec_type, file_type;
+
+init_daemon_domain(hal_gnss_default)
+
+# Read access to system files for HALs in
+# /{system,vendor,odm}/lib[64]/hw/ in order
+# to be able to open the hal implementation .so files
+r_dir_file(hal_gnss, system_file)
--- a/public/attributes
+++ b/public/attributes
@@ -119,6 +119,7 @@ attribute hal_audio;
 attribute hal_bluetooth;
 attribute hal_dumpstate;
 attribute hal_gatekeeper;
+attribute hal_gnss;
 attribute hal_graphics_allocator;
 attribute hal_graphics_composer;
 attribute hal_health;

--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
+# hwbinder access
+hwbinder_use(hal_gnss)
+
+binder_call(hal_gnss, system_server)
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -162,6 +162,7 @@ hwbinder_use(system_server)
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
+binder_call(system_server, hal_gnss);
 binder_call(system_server, hal_ir)
 binder_call(system_server, hal_light)
 binder_call(system_server, hal_memtrack)