Switch Allocator HAL policy to _client/_server
This switches Allocator HAL policy to the design which enables us to
identify all SELinux domains which host HALs and all domains which are
clients of HALs.
Allocator HAL is special in the sense that it's assumed to be always
binderized. As a result, rules in Camera HAL target hal_allocator_server
rather than hal_allocator (which would be the server and any client, if
the Allocator HAL runs in passthrough mode).
Test: Device boots up, no new denials
Test: YouTube video plays back
Test: Take photo using Google Camera app, recover a video, record a slow
motion video
Bug: 34170079
Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936
diff --git a/private/file_contexts b/private/file_contexts
index 1e7345a..94a2a53 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -247,7 +247,7 @@
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_exec:s0
+/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
#############################
# Vendor files
diff --git a/private/hal_allocator.te b/private/hal_allocator.te
deleted file mode 100644
index d185d49..0000000
--- a/private/hal_allocator.te
+++ /dev/null
@@ -1 +0,0 @@
-init_daemon_domain(hal_allocator)
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
new file mode 100644
index 0000000..ff407d5
--- /dev/null
+++ b/private/hal_allocator_default.te
@@ -0,0 +1,5 @@
+type hal_allocator_default, domain;
+hal_server_domain(hal_allocator_default, hal_allocator)
+
+type hal_allocator_default_exec, exec_type, file_type;
+init_daemon_domain(hal_allocator_default)