Add microdroid specific sepolicy
Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.
Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
diff --git a/microdroid/sepolicy/system/public/hwservice.te b/microdroid/sepolicy/system/public/hwservice.te
new file mode 100644
index 0000000..11b77f0
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hwservice.te
@@ -0,0 +1,101 @@
+# hwservice types. By default most of the HALs are protected_hwservice, which means
+# access from untrusted apps is prohibited.
+type default_android_hwservice, hwservice_manager_type, protected_hwservice;
+type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
+type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+
+# Following is the hwservices that are explicitly not marked with protected_hwservice.
+# These are directly accessible from untrusted apps.
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safer than ordinary hwservices which
+# are from vendor partition
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
+# - hal_drm_hwservice: versions > API 29 are designed specifically with
+# untrusted app access in mind.
+type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_cas_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_neuralnetworks_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+
+###
+### Neverallow rules
+###
+
+# hwservicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a
+# hwservice. Trigger a compile error if this occurs.
+neverallow domain ~hwservice_manager_type:hwservice_manager { add find };