Create selinux policy for remoteaccess HAL.
Will add fuzzer once the service is implemented.
Test: Run remoteaccess HAL on gcar_emu. Verify the service is running.
Bug: 241483300
Change-Id: I01b31a88414536ddd90f9098f422ae43a48cf726
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7a7f61f..d571349 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -23,6 +23,7 @@
"android.hardware.automotive.evs.IEvsEnumerator/hw/0": []string{},
"android.hardware.boot.IBootControl/default": []string{},
"android.hardware.automotive.evs.IEvsEnumerator/hw/1": []string{},
+ "android.hardware.automotive.remoteaccess.IRemoteAccess/default": []string{},
"android.hardware.automotive.vehicle.IVehicle/default": []string{},
"android.hardware.automotive.audiocontrol.IAudioControl/default": []string{},
"android.hardware.biometrics.face.IFace/default": []string{},
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 90e2eaf..9f1659d 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -10,6 +10,7 @@
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
hal_bootctl_service
+ hal_remoteaccess_service
hal_tv_input_service
keystore_config_prop
permissive_mte_prop
diff --git a/private/service_contexts b/private/service_contexts
index 1504bac..336d93e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -5,8 +5,9 @@
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
-android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
+android.hardware.automotive.remoteaccess.IRemoteAccess/default u:object_r:hal_remoteaccess_service:s0
+android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
diff --git a/public/attributes b/public/attributes
index aeed208..f431725 100644
--- a/public/attributes
+++ b/public/attributes
@@ -362,6 +362,7 @@
hal_attribute(power);
hal_attribute(power_stats);
hal_attribute(rebootescrow);
+hal_attribute(remoteaccess);
hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
diff --git a/public/hal_remoteaccess.te b/public/hal_remoteaccess.te
new file mode 100644
index 0000000..8a55529
--- /dev/null
+++ b/public/hal_remoteaccess.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_remoteaccess_client, hal_remoteaccess_server)
+binder_call(hal_remoteaccess_server, hal_remoteaccess_client)
+
+hal_attribute_service(hal_remoteaccess, hal_remoteaccess_service)
+
diff --git a/public/service.te b/public/service.te
index 4bd5e65..ec706b1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -294,6 +294,7 @@
type hal_power_stats_service, protected_service, hal_service_type, service_manager_type;
type hal_radio_service, protected_service, hal_service_type, service_manager_type;
type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
+type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 24f0d51..2828b0b 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -13,6 +13,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-default-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
diff --git a/vendor/hal_remoteaccess_default.te b/vendor/hal_remoteaccess_default.te
new file mode 100644
index 0000000..571b827
--- /dev/null
+++ b/vendor/hal_remoteaccess_default.te
@@ -0,0 +1,6 @@
+type hal_remoteaccess_default, domain;
+hal_server_domain(hal_remoteaccess_default, hal_remoteaccess)
+
+# may be started by init
+type hal_remoteaccess_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_remoteaccess_default)