Merge "Use _client and _server for Audio HAL policy"

private/audioserver.te

@@ -10,12 +10,8 @@ binder_call(audioserver, binderservicedomain)
 binder_call(audioserver, appdomain)
 binder_service(audioserver)
 
-hwbinder_use(audioserver)
-binder_call(audioserver, hal_audio)
-hwallocator_use(audioserver)
+hal_client_domain(audioserver, hal_audio)
 
-r_dir_file(audioserver, proc)
-allow audioserver ion_device:chr_file r_file_perms;
 allow audioserver system_file:dir r_dir_perms;
 
 userdebug_or_eng(`
@@ -28,9 +24,6 @@ userdebug_or_eng(`
   allow audioserver self:process ptrace;
 ')
 
-allow audioserver audio_device:dir r_dir_perms;
-allow audioserver audio_device:chr_file rw_file_perms;
-
 add_service(audioserver, audioserver_service)
 allow audioserver appops_service:service_manager find;
 allow audioserver batterystats_service:service_manager find;
@@ -42,10 +35,6 @@ allow audioserver scheduling_policy_service:service_manager find;
 allow audioserver audio_data_file:dir ra_dir_perms;
 allow audioserver audio_data_file:file create_file_perms;
 
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
 ###
 ### neverallow rules
 ###

private/halclientdomain.te

+###
+### Rules for all domains which are clients of a HAL
+###
+
+# Find out whether a HAL in passthrough/in-process mode or
+# binderized/out-of-process mode
+hwbinder_use(halclientdomain)

private/haldomain.te

-###
-### Rules for all HAL implementations
-###
-
-hwbinder_use(haldomain)
-
-# find passthrough hals
-allow haldomain system_file:dir r_dir_perms;

private/halserverdomain.te

+###
+### Rules for all domains which offer a HAL service over HwBinder
+###
+
+# Register the HAL service with hwservicemanager
+hwbinder_use(halserverdomain)
+
+# Find HAL implementations
+allow halserverdomain system_file:dir r_dir_perms;

public/attributes

@@ -117,11 +117,15 @@ attribute boot_control_hal;
 # recovery for A/B devices.
 attribute update_engine_common;
 
-# All domains used for HAL implementations
-attribute haldomain;
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
 
 # HALs
 attribute hal_audio;
+attribute hal_audio_client;
+attribute hal_audio_server;
 attribute hal_bluetooth;
 attribute hal_camera;
 attribute hal_configstore;

public/hal_audio.te

-binder_use(hal_audio)
-binder_call(hal_audio, audioserver)
-binder_call(hal_audio, system_server)
-hwallocator_use(hal_audio)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
+
+# Both client and the server need to use hwallocator
+hwallocator_use(hal_audio_client)
+hwallocator_use(hal_audio_server)
 
 allow hal_audio ion_device:chr_file r_file_perms;
 
@@ -17,8 +20,6 @@ r_dir_file(hal_audio, proc)
 allow hal_audio audio_device:dir r_dir_perms;
 allow hal_audio audio_device:chr_file rw_file_perms;
 
-allow hal_audio scheduling_policy_service:service_manager find;
-
 # Needed on some devices for playing audio on paired BT device,
 # but seems appropriate for all devices.
 unix_socket_connect(hal_audio, bluetooth, bluetooth)
@@ -27,10 +28,9 @@ unix_socket_connect(hal_audio, bluetooth, bluetooth)
 ### neverallow rules
 ###
 
-# hal_audio should never execute any executable without
-# a domain transition
+# Should never execute any executable without a domain transition
 neverallow hal_audio { file_type fs_type }:file execute_no_trans;
 
-# hal_audio should never need network access.
+# Should never need network access.
 # Disallow network sockets.
 neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;

public/te_macros

@@ -148,6 +148,7 @@ define(`bluetooth_domain', `
 typeattribute $1 bluetoothdomain;
 ')
 
+# TODO: Remove hal_impl_domain once all uses have been switched to hal_server_domain.
 #####################################
 # hal_impl_domain(domain[, hal_type_attr])
 # Allow a base set of permissions required for a domain to host a
@@ -163,10 +164,46 @@ typeattribute $1 bluetoothdomain;
 #   hal_impl_domain(hal_foo_default, hal_foo)
 #
 define(`hal_impl_domain', `
-typeattribute $1 haldomain;
+print(`deprecated: hal_impl_domain($1, $2) Please use hal_server_domain($1, $2) instead.');
+typeattribute $1 halserverdomain;
 ifelse($2, `', `', `typeattribute $1 $2;')
 ')
 
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+#   type hal_foo_default, domain;
+#   hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+#   hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional,
+# once we know at build time whether a HAL is going to run in
+# passthrough or binderized mode.
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+')
+
 #####################################
 # unix_socket_connect(clientdomain, socket, serverdomain)
 # Allow a local socket connection from clientdomain via

vendor/hal_audio_default.te

 type hal_audio_default, domain;
-hal_impl_domain(hal_audio_default, hal_audio)
+hal_server_domain(hal_audio_default, hal_audio)
 
 type hal_audio_default_exec, exec_type, file_type;
 init_daemon_domain(hal_audio_default)