shamp: Add SEPolicy and compat matrix for shamp
Bug: 329367768
This is the basic SELinux setup for a HAL. Since this lives in
gs-common and not all pixel devices will have the corresponding vendor
manifest, this hal will have to be marked as optional.
Test: If this was configured incorrectly, then the build should fail
Doc: go/shared-modem-platform-cpp-backend
Change-Id: I6dd0ee3d68ff226e14e3bdffe2e828c1184c1a01
diff --git a/modem/shared_modem_platform/compatibility_matrix.xml b/modem/shared_modem_platform/compatibility_matrix.xml
new file mode 100644
index 0000000..5019c3e
--- /dev/null
+++ b/modem/shared_modem_platform/compatibility_matrix.xml
@@ -0,0 +1,11 @@
+<compatibility-matrix version="1.0" type="framework">
+ <!-- Optional since older devices will not register any services. -->
+ <hal format="aidl" optional="true">
+ <name>com.google.pixel.shared_modem_platform</name>
+ <version>1</version>
+ <interface>
+ <name>ISharedModemPlatform</name>
+ <instance>default</instance>
+ </interface>
+ </hal>
+</compatibility-matrix>
diff --git a/modem/shared_modem_platform/sepolicy/attributes b/modem/shared_modem_platform/sepolicy/attributes
new file mode 100644
index 0000000..2cc802d
--- /dev/null
+++ b/modem/shared_modem_platform/sepolicy/attributes
@@ -0,0 +1 @@
+hal_attribute(shared_modem_platform)
diff --git a/modem/shared_modem_platform/sepolicy/hal_shared_modem_platform.te b/modem/shared_modem_platform/sepolicy/hal_shared_modem_platform.te
new file mode 100644
index 0000000..8771563
--- /dev/null
+++ b/modem/shared_modem_platform/sepolicy/hal_shared_modem_platform.te
@@ -0,0 +1,8 @@
+# Allow binder connection from client to server
+binder_call(hal_shared_modem_platform_client, hal_shared_modem_platform_server)
+
+# Allow client to find the service, server to register the service
+hal_attribute_service(hal_shared_modem_platform, hal_shared_modem_platform_service)
+
+# Allow binder communication from server to service_manager
+binder_use(hal_shared_modem_platform_server)
diff --git a/modem/shared_modem_platform/sepolicy/service.te b/modem/shared_modem_platform/sepolicy/service.te
new file mode 100644
index 0000000..390fde6
--- /dev/null
+++ b/modem/shared_modem_platform/sepolicy/service.te
@@ -0,0 +1 @@
+type hal_shared_modem_platform_service, hal_service_type, service_manager_type;
diff --git a/modem/shared_modem_platform/sepolicy/service_contexts b/modem/shared_modem_platform/sepolicy/service_contexts
new file mode 100644
index 0000000..58232f7
--- /dev/null
+++ b/modem/shared_modem_platform/sepolicy/service_contexts
@@ -0,0 +1,2 @@
+# Bind Shared Modem Platform AIDL service name to the SELinux type.
+com.google.pixel.shared_modem_platform.ISharedModemPlatform/default u:object_r:hal_shared_modem_platform_service:s0
diff --git a/modem/shared_modem_platform/shared_modem_platform.mk b/modem/shared_modem_platform/shared_modem_platform.mk
index 2e0c026..3f50c37 100644
--- a/modem/shared_modem_platform/shared_modem_platform.mk
+++ b/modem/shared_modem_platform/shared_modem_platform.mk
@@ -7,3 +7,5 @@
SOONG_CONFIG_shared_modem_platform_vendor := $(SHARED_MODEM_PLATFORM_VENDOR)
PRODUCT_PACKAGES += shared_modem_platform
+DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/modem/shared_modem_platform/compatibility_matrix.xml
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/shared_modem_platform/sepolicy