Update SELinux policy for audiohal

Change-Id: Iaa9907ed516c947175a59bf49938c0ee03b4f6d1

private/android_hardware_audio_2_0_service.te

@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(android_hardware_audio_2_0_service)

private/file_contexts

@@ -169,6 +169,7 @@
 /system/bin/wificond	u:object_r:wificond_exec:s0
 /system/bin/rild	u:object_r:rild_exec:s0
 /system/bin/audioserver	u:object_r:audioserver_exec:s0
+/system/bin/hw/android\.hardware\.audio@2\.0-service	u:object_r:android_hardware_audio_2_0_service_exec:s0
 /system/bin/mediadrmserver	u:object_r:mediadrmserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
@@ -274,6 +275,7 @@
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
 /data/misc/audioserver(/.*)?    u:object_r:audioserver_data_file:s0
+/data/misc/audiohal(/.*)?       u:object_r:audiohal_data_file:s0
 /data/misc/bootstat(/.*)?       u:object_r:bootstat_data_file:s0
 /data/misc/boottrace(/.*)?      u:object_r:boottrace_data_file:s0
 /data/misc/bluetooth(/.*)?      u:object_r:bluetooth_data_file:s0

public/android_hardware_audio_2_0_service.te

@@ -0,0 +1,36 @@
+# android_hardware_audio_2_0_service - audio services daemon
+type android_hardware_audio_2_0_service, domain;
+type android_hardware_audio_2_0_service_exec, exec_type, file_type;
+
+hwbinder_use(android_hardware_audio_2_0_service)
+binder_call(android_hardware_audio_2_0_service, audioserver)
+
+allow android_hardware_audio_2_0_service ion_device:chr_file r_file_perms;
+
+allow android_hardware_audio_2_0_service system_file:dir { open read };
+
+userdebug_or_eng(`
+  # used for pcm capture for debug.
+  allow android_hardware_audio_2_0_service audiohal_data_file:dir create_dir_perms;
+  allow android_hardware_audio_2_0_service audiohal_data_file:file create_file_perms;
+')
+
+r_dir_file(android_hardware_audio_2_0_service, proc)
+allow android_hardware_audio_2_0_service audio_device:dir r_dir_perms;
+allow android_hardware_audio_2_0_service audio_device:chr_file rw_file_perms;
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(android_hardware_audio_2_0_service, bluetooth, bluetooth)
+
+###
+### neverallow rules
+###
+
+# android_hardware_audio_2_0_service should never execute any executable without
+# a domain transition
+neverallow android_hardware_audio_2_0_service { file_type fs_type }:file execute_no_trans;
+
+# android_hardware_audio_2_0_service should never need network access.
+# Disallow network sockets.
+neverallow android_hardware_audio_2_0_service domain:{ tcp_socket udp_socket rawip_socket } *;

public/audioserver.te

@@ -9,6 +9,9 @@ binder_call(audioserver, binderservicedomain)
 binder_call(audioserver, { appdomain ephemeral_app })
 binder_service(audioserver)
 
+hwbinder_use(audioserver)
+binder_call(audioserver, android_hardware_audio_2_0_service)
+
 r_dir_file(audioserver, proc)
 allow audioserver ion_device:chr_file r_file_perms;
 allow audioserver system_file:dir r_dir_perms;

public/file.te

@@ -142,6 +142,7 @@ type postinstall_file, file_type;
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;
 type audio_data_file, file_type, data_file_type;
+type audiohal_data_file, file_type, data_file_type;
 type audioserver_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
 type bluetooth_logs_data_file, file_type, data_file_type;