Switch Keymaster HAL policy to _client/_server

This switches Keymaster HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Keymaster HAL.

Domains which are clients of Keymaster HAL, such as keystore and vold
domains, are granted rules targeting hal_keymaster only when the
Keymaster HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_keymaster are not granted to client domains.

Domains which offer a binderized implementation of Keymaster HAL, such
as hal_keymaster_default domain, are always granted rules targeting
hal_keymaster.

Test: Password-protected sailfish boots up and lock screen unlocks --
      this exercises vold -> Keymaster HAL interaction
Test: All Android Keystore CTS tests pass -- this exercises keystore ->
      Keymaster HAL interaction:
      make cts cts-tradefed
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsKeystoreTestCases
Bug: 34170079

Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7

public/attributes

@@ -150,6 +150,8 @@ attribute hal_graphics_composer;
 attribute hal_health;
 attribute hal_ir;
 attribute hal_keymaster;
+attribute hal_keymaster_client;
+attribute hal_keymaster_server;
 attribute hal_light;
 attribute hal_memtrack;
 attribute hal_nfc;

public/hal_keymaster.te

-# hwbinder access
-hwbinder_use(hal_keymaster)
+# HwBinder IPC from client to server
+binder_call(hal_keymaster_client, hal_keymaster_server)
 
 allow hal_keymaster tee_device:chr_file rw_file_perms;
 allow hal_keymaster tee:unix_stream_socket connectto;

public/keystore.te

@@ -8,14 +8,11 @@ binder_service(keystore)
 binder_call(keystore, system_server)
 
 # talk to keymaster
-binder_call(keystore, hwservicemanager)
-binder_call(keystore, hal_keymaster)
+hal_client_domain(keystore, hal_keymaster)
 
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file rw_file_perms;
-allow keystore tee:unix_stream_socket connectto;
 
 add_service(keystore, keystore_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
@@ -23,9 +20,7 @@ allow keystore sec_key_att_app_id_provider_service:service_manager find;
 # Check SELinux permissions.
 selinux_check_access(keystore)
 
-allow keystore ion_device:chr_file r_file_perms;
 r_dir_file(keystore, cgroup)
-allow keystore system_file:dir r_dir_perms;
 
 ###
 ### Neverallow rules

public/vold.te

@@ -27,7 +27,6 @@ allow vold shell_exec:file rx_file_perms;
 
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
-allow vold system_file:dir r_dir_perms;
 allow vold system_file:file x_file_perms;
 allow vold block_device:dir create_dir_perms;
 allow vold device:dir write;
@@ -87,8 +86,6 @@ allow vold fsck_exec:file { r_file_perms execute };
 allow vold fscklogs:dir rw_dir_perms;
 allow vold fscklogs:file create_file_perms;
 
-allow vold ion_device:chr_file r_file_perms;
-
 #
 # Rules to support encrypted fs support.
 #
@@ -131,9 +128,7 @@ binder_use(vold)
 binder_call(vold, healthd)
 
 # talk to keymaster
-binder_call(vold, hwservicemanager)
-binder_call(vold, hal_keymaster)
-allow vold tee_device:chr_file rw_file_perms;
+hal_client_domain(vold, hal_keymaster)
 
 # Access userdata block device.
 allow vold userdata_block_device:blk_file rw_file_perms;

vendor/hal_keymaster_default.te

 type hal_keymaster_default, domain;
-hal_impl_domain(hal_keymaster_default, hal_keymaster)
+hal_server_domain(hal_keymaster_default, hal_keymaster)
 
 type hal_keymaster_default_exec, exec_type, file_type;
 init_daemon_domain(hal_keymaster_default)