Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.
Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.
Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.
P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
diff --git a/public/attributes b/public/attributes
index a0c1f93..799a4fd 100644
--- a/public/attributes
+++ b/public/attributes
@@ -110,11 +110,6 @@
# All domains used for binder service domains.
attribute binderservicedomain;
-# All domains that access the boot_control HAL. The permissions the HAL
-# requires are specific to the implementation provided in each device, but
-# common daemons need to be aware of those when calling into the HAL.
-attribute boot_control_hal;
-
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
@@ -132,6 +127,9 @@
attribute hal_bluetooth;
attribute hal_bluetooth_client;
attribute hal_bluetooth_server;
+attribute hal_bootctl;
+attribute hal_bootctl_client;
+attribute hal_bootctl_server;
attribute hal_camera;
attribute hal_camera_client;
attribute hal_camera_server;
diff --git a/public/boot_control_hal.te b/public/boot_control_hal.te
deleted file mode 100644
index 2a670b3..0000000
--- a/public/boot_control_hal.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow read/write bootctrl block device, if one is defined.
-allow boot_control_hal bootctrl_block_device:blk_file rw_file_perms;
diff --git a/public/device.te b/public/device.te
index 633515f..c9c64dc 100644
--- a/public/device.te
+++ b/public/device.te
@@ -99,6 +99,3 @@
# The 'misc' partition used by recovery and A/B.
type misc_block_device, dev_type;
-
-# Bootctrl block device used by A/B update (update_engine, update_verifier).
-type bootctrl_block_device, dev_type;
diff --git a/public/hal_boot.te b/public/hal_boot.te
deleted file mode 100644
index 870f1e4..0000000
--- a/public/hal_boot.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# boot_control subsystem
-type hal_boot, domain, boot_control_hal;
-
-# call into system_server process (callbacks)
-binder_call(hal_boot, system_server)
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
new file mode 100644
index 0000000..b731fd6
--- /dev/null
+++ b/public/hal_bootctl.te
@@ -0,0 +1,3 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_bootctl_client, hal_bootctl_server)
+binder_call(hal_bootctl_server, hal_bootctl_client)
diff --git a/public/recovery.te b/public/recovery.te
index 11c01ed..a61c8e9 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -8,7 +8,8 @@
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
# Allow recovery to perform an update as update_engine would do.
- typeattribute recovery update_engine_common, boot_control_hal;
+ typeattribute recovery update_engine_common;
+ hal_client_domain(recovery, hal_bootctl)
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
diff --git a/public/update_engine.te b/public/update_engine.te
index 31ba14f..33eb2a8 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,6 +1,5 @@
# Domain for update_engine daemon.
-# update_engine uses the boot_control_hal.
-type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
+type update_engine, domain, domain_deprecated, update_engine_common;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
@@ -39,6 +38,5 @@
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
-# Use binderized HAL
-hwbinder_use(update_engine)
-binder_call(update_engine, hal_boot)
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8482159..8c8e9a9 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -1,11 +1,7 @@
# update_verifier
-# update_verifier uses the boot_control_hal.
-type update_verifier, domain, boot_control_hal;
+type update_verifier, domain;
type update_verifier_exec, exec_type, file_type;
-# find the boot_control_hal
-allow update_verifier system_file:dir r_dir_perms;
-
# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;
@@ -16,6 +12,5 @@
# Read all blocks in dm wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;
-# Use binderized HAL
-hwbinder_use(update_verifier)
-binder_call(update_verifier, hal_boot)
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)