From a9ce208680b3a9c1ddcf9bfce886909b66297964 Mon Sep 17 00:00:00 2001
From: Alexey Polyudov <apolyudov@google.com>
Date: Thu, 20 Oct 2016 11:20:25 -0700
Subject: [PATCH] gatekeeper HAL service: add security policy

Change-Id: I79a305407c3a362d7be11f4c026f31f1e9666f1c
Signed-off-by: Alexey Polyudov <apolyudov@google.com>
---
 private/file_contexts             | 1 +
 private/hal_gatekeeper_default.te | 4 ++++
 public/attributes                 | 1 +
 public/gatekeeperd.te             | 6 +++---
 public/hal_gatekeeper.te          | 9 +++++++++
 5 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 private/hal_gatekeeper_default.te
 create mode 100644 public/hal_gatekeeper.te

diff --git a/private/file_contexts b/private/file_contexts
index 6f8f7416a..5b5b7d509 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -233,6 +233,7 @@
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
 /system/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
+/system/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /system/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0
 /system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service    u:object_r:hal_graphics_composer_default_exec:s0
 /system/bin/hw/android\.hardware\.health@1\.0-service         u:object_r:hal_health_default_exec:s0
diff --git a/private/hal_gatekeeper_default.te b/private/hal_gatekeeper_default.te
new file mode 100644
index 000000000..e0c561336
--- /dev/null
+++ b/private/hal_gatekeeper_default.te
@@ -0,0 +1,4 @@
+type hal_gatekeeper_default, hal_gatekeeper, domain;
+type hal_gatekeeper_default_exec, exec_type, file_type;
+
+init_daemon_domain(hal_gatekeeper_default);
diff --git a/public/attributes b/public/attributes
index faf6b9742..9bed18da2 100644
--- a/public/attributes
+++ b/public/attributes
@@ -117,6 +117,7 @@ attribute update_engine_common;
 # HALs
 attribute hal_audio;
 attribute hal_dumpstate;
+attribute hal_gatekeeper;
 attribute hal_graphics_allocator;
 attribute hal_graphics_composer;
 attribute hal_health;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index f6ec1abbf..3831dff71 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -1,11 +1,10 @@
-type gatekeeperd, domain;
+# normally uses HAL; implements HAL in pass-through mode only
+type gatekeeperd, hal_gatekeeper, domain;
 type gatekeeperd_exec, exec_type, file_type;
 
 # gatekeeperd
 binder_service(gatekeeperd)
 binder_use(gatekeeperd)
-allow gatekeeperd tee_device:chr_file rw_file_perms;
-allow gatekeeperd ion_device:chr_file r_file_perms;
 
 # need to find KeyStore and add self
 allow gatekeeperd gatekeeper_service:service_manager { add find };
@@ -20,6 +19,7 @@ allow gatekeeperd keystore:keystore_key { add_auth };
 # For permissions checking
 allow gatekeeperd system_server:binder call;
 allow gatekeeperd permission_service:service_manager find;
+
 # For parent user ID lookup
 allow gatekeeperd user_service:service_manager find;
 
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
new file mode 100644
index 000000000..27912b765
--- /dev/null
+++ b/public/hal_gatekeeper.te
@@ -0,0 +1,9 @@
+# hwbinder access
+hwbinder_use(hal_gatekeeper)
+
+# call into gatekeeperd process (callbacks)
+binder_call(hal_gatekeeper, gatekeeperd)
+
+# TEE access.
+allow hal_gatekeeper tee_device:chr_file rw_file_perms;
+allow hal_gatekeeper ion_device:chr_file r_file_perms;
-- 
GitLab