From d3ce5dc38c0a6bdb04bdd69cb6b8605ccb031d3b Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Wed, 22 Mar 2017 09:16:49 -0700
Subject: [PATCH] Allow hals to read hwservicemanager prop.

Test: no relevant denials on marlin while booting
Test: no relevant denials on angler while booting
Bug: 36278706
Change-Id: Ieba79e1c8fca4f74c63bc63e6dd0bdcf59204ca2
---
 private/app.te             | 3 +++
 private/halclientdomain.te | 3 +++
 private/halserverdomain.te | 3 +++
 public/bootanim.te         | 3 +++
 public/bufferhubd.te       | 2 ++
 public/mediacodec.te       | 4 ++++
 public/mediaserver.te      | 3 +++
 public/sensord.te          | 3 +++
 8 files changed, 24 insertions(+)

diff --git a/private/app.te b/private/app.te
index ed2d8b608..c5943ddb6 100644
--- a/private/app.te
+++ b/private/app.te
@@ -244,6 +244,9 @@ allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 # TODO is write really necessary ?
 auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
 
+# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
+
 # Allow app to access the graphic allocator HAL
 binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
 
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
index aa224ec04..d4bdef93d 100644
--- a/private/halclientdomain.te
+++ b/private/halclientdomain.te
@@ -5,3 +5,6 @@
 # Find out whether a HAL in passthrough/in-process mode or
 # binderized/out-of-process mode
 hwbinder_use(halclientdomain)
+
+# Used to wait for hwservicemanager
+get_prop(halclientdomain, hwservicemanager_prop)
diff --git a/private/halserverdomain.te b/private/halserverdomain.te
index 7be8360a4..f36e0e7d8 100644
--- a/private/halserverdomain.te
+++ b/private/halserverdomain.te
@@ -7,3 +7,6 @@ hwbinder_use(halserverdomain)
 
 # Find HAL implementations
 allow halserverdomain system_file:dir r_dir_perms;
+
+# Used to wait for hwservicemanager
+get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/public/bootanim.te b/public/bootanim.te
index 9c5702ddf..99224510b 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -2,6 +2,9 @@
 type bootanim, domain;
 type bootanim_exec, exec_type, file_type;
 
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
+
 binder_use(bootanim)
 binder_call(bootanim, surfaceflinger)
 binder_call(bootanim, audioserver)
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 231443357..7d5be49fe 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -2,6 +2,8 @@
 type bufferhubd, domain, mlstrustedsubject;
 type bufferhubd_exec, exec_type, file_type;
 
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
 pdx_server(bufferhubd)
 use_pdx(bufferhubd, performanced)
 
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 6ab90eb3d..f0e7e9a3d 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -4,6 +4,10 @@ type mediacodec_exec, exec_type, file_type;
 
 typeattribute mediacodec mlstrustedsubject;
 
+# TODO(b/36375899) attributize this domain appropriately as hal_omx
+# and use macro hal_server_domain
+get_prop(mediacodec, hwservicemanager_prop)
+
 binder_use(mediacodec)
 binder_call(mediacodec, binderservicedomain)
 binder_call(mediacodec, appdomain)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index a641bf743..46140b3ac 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -4,6 +4,9 @@ type mediaserver_exec, exec_type, file_type;
 
 typeattribute mediaserver mlstrustedsubject;
 
+# TODO(b/36375899): replace with hal_client_domain macro on hal_omx
+typeattribute mediaserver halclientdomain;
+
 net_domain(mediaserver)
 
 r_dir_file(mediaserver, sdcard_type)
diff --git a/public/sensord.te b/public/sensord.te
index bffe3cda4..3211f8103 100644
--- a/public/sensord.te
+++ b/public/sensord.te
@@ -2,6 +2,9 @@
 type sensord, domain, mlstrustedsubject;
 type sensord_exec, exec_type, file_type;
 
+hal_client_domain(sensord, hal_graphics_allocator)
+allow sensord hal_graphics_allocator:fd use;
+
 pdx_server(sensord)
 use_pdx(sensord, bufferhubd)
 use_pdx(sensord, performanced)
-- 
GitLab