From 394dbe34a0dc7519acb9948175ba63ee18bedbed Mon Sep 17 00:00:00 2001
From: Pavel Maltsev <pavelm@google.com>
Date: Tue, 10 Apr 2018 14:07:14 -0700
Subject: [PATCH] Move automotive HALs sepolicy to system/

Bug: 70637118
Test: build, flash and boot bat_land and owl automotive builds

Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef
---
 private/compat/26.0/26.0.ignore.cil |  3 +++
 private/compat/27.0/27.0.ignore.cil |  3 +++
 private/hwservice_contexts          |  3 +++
 public/attributes                   |  3 +++
 public/hal_audiocontrol.te          |  5 +++++
 public/hal_evs.te                   |  5 +++++
 public/hal_vehicle.te               |  5 +++++
 public/hwservice.te                 |  3 +++
 vendor/file_contexts                |  3 +++
 vendor/hal_audiocontrol_default.te  |  7 +++++++
 vendor/hal_evs_default.te           | 10 ++++++++++
 vendor/hal_vehicle_default.te       |  7 +++++++
 12 files changed, 57 insertions(+)
 create mode 100644 public/hal_audiocontrol.te
 create mode 100644 public/hal_evs.te
 create mode 100644 public/hal_vehicle.te
 create mode 100644 vendor/hal_audiocontrol_default.te
 create mode 100644 vendor/hal_evs_default.te
 create mode 100644 vendor/hal_vehicle_default.te

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 71c7a0074..16d99b870 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -43,17 +43,20 @@
     exported3_system_prop
     fingerprint_vendor_data_file
     fs_bpf
+    hal_audiocontrol_hwservice
     hal_authsecret_hwservice
     hal_broadcastradio_hwservice
     hal_cas_hwservice
     hal_codec2_hwservice
     hal_confirmationui_hwservice
+    hal_evs_hwservice
     hal_lowpan_hwservice
     hal_neuralnetworks_hwservice
     hal_secure_element_hwservice
     hal_tetheroffload_hwservice
     hal_wifi_hostapd_hwservice
     hal_usb_gadget_hwservice
+    hal_vehicle_hwservice
     hal_wifi_offload_hwservice
     incident_helper
     incident_helper_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 94c81d0cb..21e9d6525 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -39,12 +39,15 @@
     exported_wifi_prop
     fingerprint_vendor_data_file
     fs_bpf
+    hal_audiocontrol_hwservice
     hal_authsecret_hwservice
     hal_codec2_hwservice
     hal_confirmationui_hwservice
+    hal_evs_hwservice
     hal_lowpan_hwservice
     hal_secure_element_hwservice
     hal_usb_gadget_hwservice
+    hal_vehicle_hwservice
     hal_wifi_hostapd_hwservice
     incident_helper
     incident_helper_exec
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 998bf2fea..c75c0a576 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -4,6 +4,9 @@ android.frameworks.sensorservice::ISensorManager                u:object_r:fwk_s
 android.hardware.audio.effect::IEffectsFactory                  u:object_r:hal_audio_hwservice:s0
 android.hardware.audio::IDevicesFactory                         u:object_r:hal_audio_hwservice:s0
 android.hardware.authsecret::IAuthSecret                        u:object_r:hal_authsecret_hwservice:s0
+android.hardware.automotive.audiocontrol::IAudioControl         u:object_r:hal_audiocontrol_hwservice:s0
+android.hardware.automotive.evs::IEvsEnumerator                 u:object_r:hal_evs_hwservice:s0
+android.hardware.automotive.vehicle::IVehicle                   u:object_r:hal_vehicle_hwservice:s0
 android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
 android.hardware.bluetooth::IBluetoothHci                       u:object_r:hal_bluetooth_hwservice:s0
 android.hardware.bluetooth.a2dp::IBluetoothAudioOffload         u:object_r:hal_audio_hwservice:s0
diff --git a/public/attributes b/public/attributes
index 159d28e4e..6c55c4179 100644
--- a/public/attributes
+++ b/public/attributes
@@ -240,6 +240,7 @@ expandattribute hal_cas_server false;
 
 # HALs
 hal_attribute(allocator);
+hal_attribute(audiocontrol);
 hal_attribute(authsecret);
 hal_attribute(bluetooth);
 hal_attribute(broadcastradio);
@@ -247,6 +248,7 @@ hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
 hal_attribute(dumpstate);
+hal_attribute(evs);
 hal_attribute(fingerprint);
 hal_attribute(gatekeeper);
 hal_attribute(gnss);
@@ -271,6 +273,7 @@ hal_attribute(tv_cec);
 hal_attribute(tv_input);
 hal_attribute(usb);
 hal_attribute(usb_gadget);
+hal_attribute(vehicle);
 hal_attribute(vibrator);
 hal_attribute(vr);
 hal_attribute(weaver);
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
new file mode 100644
index 000000000..3e5a379f9
--- /dev/null
+++ b/public/hal_audiocontrol.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
+binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
+
+add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
diff --git a/public/hal_evs.te b/public/hal_evs.te
new file mode 100644
index 000000000..710051eee
--- /dev/null
+++ b/public/hal_evs.te
@@ -0,0 +1,5 @@
+hwbinder_use(hal_evs_client)
+hwbinder_use(hal_evs_server)
+binder_call(hal_evs_client, hal_evs_server)
+binder_call(hal_evs_server, hal_evs_client)
+
diff --git a/public/hal_vehicle.te b/public/hal_vehicle.te
new file mode 100644
index 000000000..f49f5e678
--- /dev/null
+++ b/public/hal_vehicle.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vehicle_client, hal_vehicle_server)
+binder_call(hal_vehicle_server, hal_vehicle_client)
+
+add_hwservice(hal_vehicle_server, hal_vehicle_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index ca2025870..5fba86ac3 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -2,6 +2,7 @@ type default_android_hwservice, hwservice_manager_type;
 type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
 type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
 type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type;
 type hal_audio_hwservice, hwservice_manager_type;
 type hal_authsecret_hwservice, hwservice_manager_type;
 type hal_bluetooth_hwservice, hwservice_manager_type;
@@ -15,6 +16,7 @@ type hal_contexthub_hwservice, hwservice_manager_type;
 type hal_drm_hwservice, hwservice_manager_type;
 type hal_cas_hwservice, hwservice_manager_type;
 type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_evs_hwservice, hwservice_manager_type;
 type hal_fingerprint_hwservice, hwservice_manager_type;
 type hal_gatekeeper_hwservice, hwservice_manager_type;
 type hal_gnss_hwservice, hwservice_manager_type;
@@ -42,6 +44,7 @@ type hal_tv_cec_hwservice, hwservice_manager_type;
 type hal_tv_input_hwservice, hwservice_manager_type;
 type hal_usb_hwservice, hwservice_manager_type;
 type hal_usb_gadget_hwservice, hwservice_manager_type;
+type hal_vehicle_hwservice, hwservice_manager_type;
 type hal_vibrator_hwservice, hwservice_manager_type;
 type hal_vr_hwservice, hwservice_manager_type;
 type hal_weaver_hwservice, hwservice_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ba3c705e2..f267468fc 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -2,6 +2,9 @@
 # Default HALs
 #
 /(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service  u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service  u:object_r:hal_evs_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service  u:object_r:hal_vehicle_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_bootctl_default_exec:s0
diff --git a/vendor/hal_audiocontrol_default.te b/vendor/hal_audiocontrol_default.te
new file mode 100644
index 000000000..d1940c965
--- /dev/null
+++ b/vendor/hal_audiocontrol_default.te
@@ -0,0 +1,7 @@
+# audiocontrol subsystem
+type hal_audiocontrol_default, domain;
+hal_server_domain(hal_audiocontrol_default, hal_audiocontrol)
+
+# may be started by init
+type hal_audiocontrol_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_audiocontrol_default)
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
new file mode 100644
index 000000000..b927f1e54
--- /dev/null
+++ b/vendor/hal_evs_default.te
@@ -0,0 +1,10 @@
+# evs_mock mock hardware driver service
+type hal_evs_default, domain;
+hal_server_domain(hal_evs_default, hal_evs)
+
+# allow init to launch processes in this context
+type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_evs_default)
+
+allow hal_evs_default hal_graphics_allocator_default:fd use;
+
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
new file mode 100644
index 000000000..e605ecbf1
--- /dev/null
+++ b/vendor/hal_vehicle_default.te
@@ -0,0 +1,7 @@
+# vehicle subsystem
+type hal_vehicle_default, domain;
+hal_server_domain(hal_vehicle_default, hal_vehicle)
+
+# may be started by init
+type hal_vehicle_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_vehicle_default)