From 97c56bdd78629cb3a57acdbd27d977f1cc6eed4b Mon Sep 17 00:00:00 2001
From: Janis Danisevskis <jdanis@google.com>
Date: Tue, 9 Jan 2018 17:42:53 -0500
Subject: [PATCH] Added default policy for Confirmation UI HAL

Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
---
 private/app_neverallows.te           | 1 +
 private/compat/26.0/26.0.ignore.cil  | 1 +
 private/hwservice_contexts           | 1 +
 private/keystore.te                  | 6 ++++++
 public/attributes                    | 1 +
 public/hal_confirmationui.te         | 5 +++++
 public/hwservice.te                  | 1 +
 public/su.te                         | 1 +
 vendor/file_contexts                 | 1 +
 vendor/hal_confirmationui_default.te | 5 +++++
 10 files changed, 23 insertions(+)
 create mode 100644 public/hal_confirmationui.te
 create mode 100644 vendor/hal_confirmationui_default.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf9d0d366..bb9142d0b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -183,6 +183,7 @@ neverallow all_untrusted_apps {
   hal_bluetooth_hwservice
   hal_bootctl_hwservice
   hal_camera_hwservice
+  hal_confirmationui_hwservice
   hal_contexthub_hwservice
   hal_drm_hwservice
   hal_dumpstate_hwservice
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3a906e91f..ca2635759 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -37,6 +37,7 @@
     fs_bpf
     hal_broadcastradio_hwservice
     hal_cas_hwservice
+    hal_confirmationui_hwservice
     hal_lowpan_hwservice
     hal_neuralnetworks_hwservice
     hal_tetheroffload_hwservice
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 661e2aee9..38a9af2a1 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@ android.hardware.broadcastradio::IBroadcastRadio                u:object_r:hal_b
 android.hardware.broadcastradio::IBroadcastRadioFactory         u:object_r:hal_broadcastradio_hwservice:s0
 android.hardware.camera.provider::ICameraProvider               u:object_r:hal_camera_hwservice:s0
 android.hardware.configstore::ISurfaceFlingerConfigs            u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.confirmationui::IConfirmationUI                u:object_r:hal_confirmationui_hwservice:s0
 android.hardware.contexthub::IContexthub                        u:object_r:hal_contexthub_hwservice:s0
 android.hardware.cas::IMediaCasService                          u:object_r:hal_cas_hwservice:s0
 android.hardware.drm::ICryptoFactory                            u:object_r:hal_drm_hwservice:s0
diff --git a/private/keystore.te b/private/keystore.te
index a9647c631..90c472705 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -5,6 +5,12 @@ init_daemon_domain(keystore)
 # talk to keymaster
 hal_client_domain(keystore, hal_keymaster)
 
+# talk to confirmationui
+hal_client_domain(keystore, hal_confirmationui)
+
+# This is used for the ConfirmationUI async callback.
+allow keystore platform_app:binder call;
+
 # Offer the Wifi Keystore HwBinder service
 typeattribute keystore wifi_keystore_service_server;
 add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/public/attributes b/public/attributes
index 11ffd2e2d..66ce7d09c 100644
--- a/public/attributes
+++ b/public/attributes
@@ -209,6 +209,7 @@ hal_attribute(bootctl);
 hal_attribute(broadcastradio);
 hal_attribute(camera);
 hal_attribute(configstore);
+hal_attribute(confirmationui);
 hal_attribute(contexthub);
 hal_attribute(drm);
 hal_attribute(cas);
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
new file mode 100644
index 000000000..228e86496
--- /dev/null
+++ b/public/hal_confirmationui.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_confirmationui_client, hal_confirmationui_server)
+
+add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
+allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 09e30688e..f6ab621fc 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -8,6 +8,7 @@ type hal_bootctl_hwservice, hwservice_manager_type;
 type hal_broadcastradio_hwservice, hwservice_manager_type;
 type hal_camera_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_confirmationui_hwservice, hwservice_manager_type;
 type hal_contexthub_hwservice, hwservice_manager_type;
 type hal_drm_hwservice, hwservice_manager_type;
 type hal_cas_hwservice, hwservice_manager_type;
diff --git a/public/su.te b/public/su.te
index 88065f626..edc62c3c1 100644
--- a/public/su.te
+++ b/public/su.te
@@ -62,6 +62,7 @@ userdebug_or_eng(`
   typeattribute su hal_bootctl_client;
   typeattribute su hal_camera_client;
   typeattribute su hal_configstore_client;
+  typeattribute su hal_confirmationui_client;
   typeattribute su hal_contexthub_client;
   typeattribute su hal_drm_client;
   typeattribute su hal_cas_client;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b4961d757..e2d3ef727 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,6 +9,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service          u:object_r:hal_camera_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service    u:object_r:hal_configstore_default_exec:s0
+/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service            u:object_r:hal_cas_default_exec:s0
diff --git a/vendor/hal_confirmationui_default.te b/vendor/hal_confirmationui_default.te
new file mode 100644
index 000000000..832c68774
--- /dev/null
+++ b/vendor/hal_confirmationui_default.te
@@ -0,0 +1,5 @@
+type hal_confirmationui_default, domain;
+hal_server_domain(hal_confirmationui_default, hal_confirmationui)
+
+type hal_confirmationui_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_confirmationui_default)
-- 
GitLab