From f41d89eb249ca1f9fce41d86852047f924b1714e Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Tue, 10 Jan 2017 15:54:25 -0800
Subject: [PATCH] Group all HAL impls using haldomain attribute

This marks all HAL domain implementations with the haldomain attribute
so that rules can be written which apply to all HAL implementations.

This follows the pattern used for appdomain, netdomain and
bluetoothdomain.

Test: No change to policy according to sesearch.
Bug: 34180936
Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6
---
 private/hal_audio_default.te              |  5 +++--
 private/hal_bluetooth_default.te          |  5 +++--
 private/hal_contexthub_default.te         |  5 +++--
 private/hal_dumpstate_default.te          |  5 +++--
 private/hal_fingerprint_default.te        |  6 +++---
 private/hal_gatekeeper_default.te         |  5 +++--
 private/hal_gnss_default.te               |  5 +++--
 private/hal_graphics_allocator_default.te |  5 +++--
 private/hal_graphics_composer_default.te  |  5 +++--
 private/hal_health_default.te             |  5 +++--
 private/hal_ir_default.te                 |  5 +++--
 private/hal_light_default.te              |  5 +++--
 private/hal_memtrack_default.te           |  5 +++--
 private/hal_nfc_default.te                |  5 +++--
 private/hal_power_default.te              |  5 +++--
 private/hal_sensors_default.te            |  5 +++--
 private/hal_thermal_default.te            |  5 +++--
 private/hal_vibrator_default.te           |  5 +++--
 private/hal_vr_default.te                 |  5 +++--
 private/hal_wifi_default.te               |  5 +++--
 private/haldomain.te                      |  3 +++
 public/attributes                         |  3 +++
 public/hal_allocator.te                   |  2 +-
 public/hal_boot.te                        |  2 +-
 public/te_macros                          | 14 ++++++++++++++
 25 files changed, 82 insertions(+), 43 deletions(-)
 create mode 100644 private/haldomain.te

diff --git a/private/hal_audio_default.te b/private/hal_audio_default.te
index bbbd41927..93ffd8e51 100644
--- a/private/hal_audio_default.te
+++ b/private/hal_audio_default.te
@@ -1,4 +1,5 @@
-type hal_audio_default, hal_audio, domain;
-type hal_audio_default_exec, exec_type, file_type;
+type hal_audio_default, domain;
+hal_impl_domain(hal_audio_default, hal_audio)
 
+type hal_audio_default_exec, exec_type, file_type;
 init_daemon_domain(hal_audio_default)
diff --git a/private/hal_bluetooth_default.te b/private/hal_bluetooth_default.te
index f77410cf3..b8fce63e1 100644
--- a/private/hal_bluetooth_default.te
+++ b/private/hal_bluetooth_default.te
@@ -1,6 +1,7 @@
-type hal_bluetooth_default, hal_bluetooth, domain;
-type hal_bluetooth_default_exec, exec_type, file_type;
+type hal_bluetooth_default, domain;
+hal_impl_domain(hal_bluetooth_default, hal_bluetooth)
 
+type hal_bluetooth_default_exec, exec_type, file_type;
 init_daemon_domain(hal_bluetooth_default)
 
 # VTS tests need to be able to toggle rfkill
diff --git a/private/hal_contexthub_default.te b/private/hal_contexthub_default.te
index 99b6b9376..abf5b0e3b 100644
--- a/private/hal_contexthub_default.te
+++ b/private/hal_contexthub_default.te
@@ -1,4 +1,5 @@
-type hal_contexthub_default, hal_contexthub, domain;
-type hal_contexthub_default_exec, exec_type, file_type;
+type hal_contexthub_default, domain;
+hal_impl_domain(hal_contexthub_default, hal_contexthub)
 
+type hal_contexthub_default_exec, exec_type, file_type;
 init_daemon_domain(hal_contexthub_default)
diff --git a/private/hal_dumpstate_default.te b/private/hal_dumpstate_default.te
index 46160397b..2b371b9a6 100644
--- a/private/hal_dumpstate_default.te
+++ b/private/hal_dumpstate_default.te
@@ -1,4 +1,5 @@
-type hal_dumpstate_default, hal_dumpstate, domain;
-type hal_dumpstate_default_exec, exec_type, file_type;
+type hal_dumpstate_default, domain;
+hal_impl_domain(hal_dumpstate_default, hal_dumpstate)
 
+type hal_dumpstate_default_exec, exec_type, file_type;
 init_daemon_domain(hal_dumpstate_default)
diff --git a/private/hal_fingerprint_default.te b/private/hal_fingerprint_default.te
index 3903f8533..c392a8583 100644
--- a/private/hal_fingerprint_default.te
+++ b/private/hal_fingerprint_default.te
@@ -1,5 +1,5 @@
-type hal_fingerprint_default, hal_fingerprint, domain;
+type hal_fingerprint_default, domain;
+hal_impl_domain(hal_fingerprint_default, hal_fingerprint)
+
 type hal_fingerprint_default_exec, exec_type, file_type;
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
 init_daemon_domain(hal_fingerprint_default)
diff --git a/private/hal_gatekeeper_default.te b/private/hal_gatekeeper_default.te
index e0c561336..3c84b1378 100644
--- a/private/hal_gatekeeper_default.te
+++ b/private/hal_gatekeeper_default.te
@@ -1,4 +1,5 @@
-type hal_gatekeeper_default, hal_gatekeeper, domain;
-type hal_gatekeeper_default_exec, exec_type, file_type;
+type hal_gatekeeper_default, domain;
+hal_impl_domain(hal_gatekeeper_default, hal_gatekeeper)
 
+type hal_gatekeeper_default_exec, exec_type, file_type;
 init_daemon_domain(hal_gatekeeper_default);
diff --git a/private/hal_gnss_default.te b/private/hal_gnss_default.te
index 29ff99411..78f85bcf1 100644
--- a/private/hal_gnss_default.te
+++ b/private/hal_gnss_default.te
@@ -1,6 +1,7 @@
-type hal_gnss_default, hal_gnss, domain;
-type hal_gnss_default_exec, exec_type, file_type;
+type hal_gnss_default, domain;
+hal_impl_domain(hal_gnss_default, hal_gnss)
 
+type hal_gnss_default_exec, exec_type, file_type;
 init_daemon_domain(hal_gnss_default)
 
 # Read access to system files for HALs in
diff --git a/private/hal_graphics_allocator_default.te b/private/hal_graphics_allocator_default.te
index 36dcca30f..6b3672cf9 100644
--- a/private/hal_graphics_allocator_default.te
+++ b/private/hal_graphics_allocator_default.te
@@ -1,4 +1,5 @@
-type hal_graphics_allocator_default, hal_graphics_allocator, domain;
-type hal_graphics_allocator_default_exec, exec_type, file_type;
+type hal_graphics_allocator_default, domain;
+hal_impl_domain(hal_graphics_allocator_default, hal_graphics_allocator)
 
+type hal_graphics_allocator_default_exec, exec_type, file_type;
 init_daemon_domain(hal_graphics_allocator_default)
diff --git a/private/hal_graphics_composer_default.te b/private/hal_graphics_composer_default.te
index 9ddf71f13..99bf690fc 100644
--- a/private/hal_graphics_composer_default.te
+++ b/private/hal_graphics_composer_default.te
@@ -1,4 +1,5 @@
-type hal_graphics_composer_default, hal_graphics_composer, domain;
-type hal_graphics_composer_default_exec, exec_type, file_type;
+type hal_graphics_composer_default, domain;
+hal_impl_domain(hal_graphics_composer_default, hal_graphics_composer)
 
+type hal_graphics_composer_default_exec, exec_type, file_type;
 init_daemon_domain(hal_graphics_composer_default)
diff --git a/private/hal_health_default.te b/private/hal_health_default.te
index e853fb6f1..0496cdf01 100644
--- a/private/hal_health_default.te
+++ b/private/hal_health_default.te
@@ -1,5 +1,6 @@
 # health info abstraction
-type hal_health_default, hal_health, domain;
-type hal_health_default_exec, exec_type, file_type;
+type hal_health_default, domain;
+hal_impl_domain(hal_health_default, hal_health)
 
+type hal_health_default_exec, exec_type, file_type;
 init_daemon_domain(hal_health_default)
diff --git a/private/hal_ir_default.te b/private/hal_ir_default.te
index 1f3d694bf..2de1b9285 100644
--- a/private/hal_ir_default.te
+++ b/private/hal_ir_default.te
@@ -1,4 +1,5 @@
-type hal_ir_default, hal_ir, domain;
-type hal_ir_default_exec, exec_type, file_type;
+type hal_ir_default, domain;
+hal_impl_domain(hal_ir_default, hal_ir)
 
+type hal_ir_default_exec, exec_type, file_type;
 init_daemon_domain(hal_ir_default)
diff --git a/private/hal_light_default.te b/private/hal_light_default.te
index aee44d9cf..bee7c8a53 100644
--- a/private/hal_light_default.te
+++ b/private/hal_light_default.te
@@ -1,4 +1,5 @@
-type hal_light_default, hal_light, domain;
-type hal_light_default_exec, exec_type, file_type;
+type hal_light_default, domain;
+hal_impl_domain(hal_light_default, hal_light)
 
+type hal_light_default_exec, exec_type, file_type;
 init_daemon_domain(hal_light_default)
diff --git a/private/hal_memtrack_default.te b/private/hal_memtrack_default.te
index 113ee1871..1c5ca99de 100644
--- a/private/hal_memtrack_default.te
+++ b/private/hal_memtrack_default.te
@@ -1,4 +1,5 @@
-type hal_memtrack_default, hal_memtrack, domain;
-type hal_memtrack_default_exec, exec_type, file_type;
+type hal_memtrack_default, domain;
+hal_impl_domain(hal_memtrack_default, hal_memtrack)
 
+type hal_memtrack_default_exec, exec_type, file_type;
 init_daemon_domain(hal_memtrack_default)
diff --git a/private/hal_nfc_default.te b/private/hal_nfc_default.te
index 1f7c4ed7a..b6abb1958 100644
--- a/private/hal_nfc_default.te
+++ b/private/hal_nfc_default.te
@@ -1,4 +1,5 @@
-type hal_nfc_default, hal_nfc, domain;
-type hal_nfc_default_exec, exec_type, file_type;
+type hal_nfc_default, domain;
+hal_impl_domain(hal_nfc_default, hal_nfc)
 
+type hal_nfc_default_exec, exec_type, file_type;
 init_daemon_domain(hal_nfc_default)
diff --git a/private/hal_power_default.te b/private/hal_power_default.te
index e61375d40..c8977eedb 100644
--- a/private/hal_power_default.te
+++ b/private/hal_power_default.te
@@ -1,4 +1,5 @@
-type hal_power_default, hal_power, domain;
-type hal_power_default_exec, exec_type, file_type;
+type hal_power_default, domain;
+hal_impl_domain(hal_power_default, hal_power)
 
+type hal_power_default_exec, exec_type, file_type;
 init_daemon_domain(hal_power_default)
diff --git a/private/hal_sensors_default.te b/private/hal_sensors_default.te
index 5f2944669..3c3a104a6 100644
--- a/private/hal_sensors_default.te
+++ b/private/hal_sensors_default.te
@@ -1,4 +1,5 @@
-type hal_sensors_default, hal_sensors, domain;
-type hal_sensors_default_exec, exec_type, file_type;
+type hal_sensors_default, domain;
+hal_impl_domain(hal_sensors_default, hal_sensors)
 
+type hal_sensors_default_exec, exec_type, file_type;
 init_daemon_domain(hal_sensors_default)
diff --git a/private/hal_thermal_default.te b/private/hal_thermal_default.te
index a2ff70e16..baa3b97ab 100644
--- a/private/hal_thermal_default.te
+++ b/private/hal_thermal_default.te
@@ -1,4 +1,5 @@
-type hal_thermal_default, hal_thermal, domain;
-type hal_thermal_default_exec, exec_type, file_type;
+type hal_thermal_default, domain;
+hal_impl_domain(hal_thermal_default, hal_thermal)
 
+type hal_thermal_default_exec, exec_type, file_type;
 init_daemon_domain(hal_thermal_default)
diff --git a/private/hal_vibrator_default.te b/private/hal_vibrator_default.te
index e6339537e..c185e0862 100644
--- a/private/hal_vibrator_default.te
+++ b/private/hal_vibrator_default.te
@@ -1,4 +1,5 @@
-type hal_vibrator_default, hal_vibrator, domain;
-type hal_vibrator_default_exec, exec_type, file_type;
+type hal_vibrator_default, domain;
+hal_impl_domain(hal_vibrator_default, hal_vibrator)
 
+type hal_vibrator_default_exec, exec_type, file_type;
 init_daemon_domain(hal_vibrator_default)
diff --git a/private/hal_vr_default.te b/private/hal_vr_default.te
index ba85157a5..f32c737c1 100644
--- a/private/hal_vr_default.te
+++ b/private/hal_vr_default.te
@@ -1,4 +1,5 @@
-type hal_vr_default, hal_vr, domain;
-type hal_vr_default_exec, exec_type, file_type;
+type hal_vr_default, domain;
+hal_impl_domain(hal_vr_default, hal_vr)
 
+type hal_vr_default_exec, exec_type, file_type;
 init_daemon_domain(hal_vr_default)
diff --git a/private/hal_wifi_default.te b/private/hal_wifi_default.te
index a32a9070a..5946ba43f 100644
--- a/private/hal_wifi_default.te
+++ b/private/hal_wifi_default.te
@@ -1,4 +1,5 @@
-type hal_wifi_default, hal_wifi, domain;
-type hal_wifi_default_exec, exec_type, file_type;
+type hal_wifi_default, domain;
+hal_impl_domain(hal_wifi_default, hal_wifi)
 
+type hal_wifi_default_exec, exec_type, file_type;
 init_daemon_domain(hal_wifi_default)
diff --git a/private/haldomain.te b/private/haldomain.te
new file mode 100644
index 000000000..511f78dc9
--- /dev/null
+++ b/private/haldomain.te
@@ -0,0 +1,3 @@
+###
+### Rules for all HAL implementations
+###
diff --git a/public/attributes b/public/attributes
index 30a6014cc..66cc59403 100644
--- a/public/attributes
+++ b/public/attributes
@@ -114,6 +114,9 @@ attribute boot_control_hal;
 # recovery for A/B devices.
 attribute update_engine_common;
 
+# All domains used for HAL implementations
+attribute haldomain;
+
 # HALs
 attribute hal_audio;
 attribute hal_bluetooth;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index 784bacbce..0f3983bdf 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -1,5 +1,5 @@
 # allocator subsystem
-type hal_allocator, domain;
+type hal_allocator, domain, haldomain;
 type hal_allocator_exec, exec_type, file_type;
 
 # hwbinder access
diff --git a/public/hal_boot.te b/public/hal_boot.te
index 3cbbb2916..d04ced28b 100644
--- a/public/hal_boot.te
+++ b/public/hal_boot.te
@@ -1,5 +1,5 @@
 # boot_control subsystem
-type hal_boot, domain, boot_control_hal;
+type hal_boot, domain, boot_control_hal, haldomain;
 type hal_boot_exec, exec_type, file_type;
 
 # hwbinder access
diff --git a/public/te_macros b/public/te_macros
index 70f0fdf2e..d1267ec2d 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -115,6 +115,20 @@ define(`bluetooth_domain', `
 typeattribute $1 bluetoothdomain;
 ')
 
+#####################################
+# hal_impl_domain(domain, hal_type_attr)
+# Allow a base set of permissions required for a domain to host a
+# HAL implementation of the specified HAL type.
+#
+# For example, default implementation of Foo HAL:
+#   type hal_foo_default, domain;
+#   hal_impl_domain(hal_foo_default, hal_foo)
+#
+define(`hal_impl_domain', `
+typeattribute $1 haldomain;
+typeattribute $1 $2;
+')
+
 #####################################
 # unix_socket_connect(clientdomain, socket, serverdomain)
 # Allow a local socket connection from clientdomain via
-- 
GitLab