From ac2b4cd2cb69b9182725e536f395b64db258d4b8 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 13 Feb 2017 14:40:49 -0800
Subject: [PATCH] Use _client and _server for Audio HAL policy

This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
  hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
  associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
  against the hal_foo attribute. This policy is granted to domains
  which offer the Foo HAL service over HwBinder and, if Foo HAL runs
  in the so-called passthrough mode (inside the process of each
  client), also granted to all domains which are clients of Foo HAL.
  hal_foo is there to avoid duplicating the rules for hal_foo_client
  and hal_foo_server to cover the passthrough/in-process Foo HAL and
  binderized/out-of-process Foo HAL cases.

A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.

This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
---
 private/audioserver.te      | 13 +------------
 private/halclientdomain.te  |  7 +++++++
 private/haldomain.te        |  8 --------
 private/halserverdomain.te  |  9 +++++++++
 public/attributes           |  8 ++++++--
 public/hal_audio.te         | 18 ++++++++---------
 public/te_macros            | 39 ++++++++++++++++++++++++++++++++++++-
 vendor/hal_audio_default.te |  2 +-
 8 files changed, 71 insertions(+), 33 deletions(-)
 create mode 100644 private/halclientdomain.te
 delete mode 100644 private/haldomain.te
 create mode 100644 private/halserverdomain.te

diff --git a/private/audioserver.te b/private/audioserver.te
index 88007aaa5..17abd837d 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -10,12 +10,8 @@ binder_call(audioserver, binderservicedomain)
 binder_call(audioserver, appdomain)
 binder_service(audioserver)
 
-hwbinder_use(audioserver)
-binder_call(audioserver, hal_audio)
-hwallocator_use(audioserver)
+hal_client_domain(audioserver, hal_audio)
 
-r_dir_file(audioserver, proc)
-allow audioserver ion_device:chr_file r_file_perms;
 allow audioserver system_file:dir r_dir_perms;
 
 userdebug_or_eng(`
@@ -28,9 +24,6 @@ userdebug_or_eng(`
   allow audioserver self:process ptrace;
 ')
 
-allow audioserver audio_device:dir r_dir_perms;
-allow audioserver audio_device:chr_file rw_file_perms;
-
 add_service(audioserver, audioserver_service)
 allow audioserver appops_service:service_manager find;
 allow audioserver batterystats_service:service_manager find;
@@ -42,10 +35,6 @@ allow audioserver scheduling_policy_service:service_manager find;
 allow audioserver audio_data_file:dir ra_dir_perms;
 allow audioserver audio_data_file:file create_file_perms;
 
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
 ###
 ### neverallow rules
 ###
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
new file mode 100644
index 000000000..aa224ec04
--- /dev/null
+++ b/private/halclientdomain.te
@@ -0,0 +1,7 @@
+###
+### Rules for all domains which are clients of a HAL
+###
+
+# Find out whether a HAL in passthrough/in-process mode or
+# binderized/out-of-process mode
+hwbinder_use(halclientdomain)
diff --git a/private/haldomain.te b/private/haldomain.te
deleted file mode 100644
index 2700940ec..000000000
--- a/private/haldomain.te
+++ /dev/null
@@ -1,8 +0,0 @@
-###
-### Rules for all HAL implementations
-###
-
-hwbinder_use(haldomain)
-
-# find passthrough hals
-allow haldomain system_file:dir r_dir_perms;
diff --git a/private/halserverdomain.te b/private/halserverdomain.te
new file mode 100644
index 000000000..7be8360a4
--- /dev/null
+++ b/private/halserverdomain.te
@@ -0,0 +1,9 @@
+###
+### Rules for all domains which offer a HAL service over HwBinder
+###
+
+# Register the HAL service with hwservicemanager
+hwbinder_use(halserverdomain)
+
+# Find HAL implementations
+allow halserverdomain system_file:dir r_dir_perms;
diff --git a/public/attributes b/public/attributes
index d9212fc1c..e48f96f69 100644
--- a/public/attributes
+++ b/public/attributes
@@ -117,11 +117,15 @@ attribute boot_control_hal;
 # recovery for A/B devices.
 attribute update_engine_common;
 
-# All domains used for HAL implementations
-attribute haldomain;
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
 
 # HALs
 attribute hal_audio;
+attribute hal_audio_client;
+attribute hal_audio_server;
 attribute hal_bluetooth;
 attribute hal_camera;
 attribute hal_configstore;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 15d0e414a..1d27c81be 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -1,7 +1,10 @@
-binder_use(hal_audio)
-binder_call(hal_audio, audioserver)
-binder_call(hal_audio, system_server)
-hwallocator_use(hal_audio)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
+
+# Both client and the server need to use hwallocator
+hwallocator_use(hal_audio_client)
+hwallocator_use(hal_audio_server)
 
 allow hal_audio ion_device:chr_file r_file_perms;
 
@@ -17,8 +20,6 @@ r_dir_file(hal_audio, proc)
 allow hal_audio audio_device:dir r_dir_perms;
 allow hal_audio audio_device:chr_file rw_file_perms;
 
-allow hal_audio scheduling_policy_service:service_manager find;
-
 # Needed on some devices for playing audio on paired BT device,
 # but seems appropriate for all devices.
 unix_socket_connect(hal_audio, bluetooth, bluetooth)
@@ -27,10 +28,9 @@ unix_socket_connect(hal_audio, bluetooth, bluetooth)
 ### neverallow rules
 ###
 
-# hal_audio should never execute any executable without
-# a domain transition
+# Should never execute any executable without a domain transition
 neverallow hal_audio { file_type fs_type }:file execute_no_trans;
 
-# hal_audio should never need network access.
+# Should never need network access.
 # Disallow network sockets.
 neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/te_macros b/public/te_macros
index 4e334275f..a98ba7ed1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -148,6 +148,7 @@ define(`bluetooth_domain', `
 typeattribute $1 bluetoothdomain;
 ')
 
+# TODO: Remove hal_impl_domain once all uses have been switched to hal_server_domain.
 #####################################
 # hal_impl_domain(domain[, hal_type_attr])
 # Allow a base set of permissions required for a domain to host a
@@ -163,10 +164,46 @@ typeattribute $1 bluetoothdomain;
 #   hal_impl_domain(hal_foo_default, hal_foo)
 #
 define(`hal_impl_domain', `
-typeattribute $1 haldomain;
+print(`deprecated: hal_impl_domain($1, $2) Please use hal_server_domain($1, $2) instead.');
+typeattribute $1 halserverdomain;
 ifelse($2, `', `', `typeattribute $1 $2;')
 ')
 
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+#   type hal_foo_default, domain;
+#   hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+#   hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional,
+# once we know at build time whether a HAL is going to run in
+# passthrough or binderized mode.
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+')
+
 #####################################
 # unix_socket_connect(clientdomain, socket, serverdomain)
 # Allow a local socket connection from clientdomain via
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 93ffd8e51..4811f4da3 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -1,5 +1,5 @@
 type hal_audio_default, domain;
-hal_impl_domain(hal_audio_default, hal_audio)
+hal_server_domain(hal_audio_default, hal_audio)
 
 type hal_audio_default_exec, exec_type, file_type;
 init_daemon_domain(hal_audio_default)
-- 
GitLab