Switch Bluetooth HAL policy to _client/_server
This switches Bluetooth HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.
Domains which are clients of Bluetooth HAL, such as bluetooth domain,
are granted rules targeting hal_bluetooth only when the Bluetooth HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bluetooth are not granted to client domains.
Domains which offer a binderized implementation of Bluetooth HAL, such
as hal_bluetooth_default domain, are always granted rules targeting
hal_bluetooth.
Test: Toggle Bluetooth off and on
Test: Pair with another Android, and transfer a file to that Android
over Bluetooth
Test: Pair with a Bluetooth speaker, play music through that
speaker over Bluetooth
Test: Add bluetooth_hidl_hal_test to device.mk, build & add to device,
adb shell stop,
adb shell /data/nativetest64/bluetooth_hidl_hal_test/bluetooth_hidl_hal_test
Bug: 34170079
Change-Id: I05c3ccf1e98cbbc1450a81bb1000c4fb75eb8a83
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 5ea6027..b2369c1 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -22,14 +22,6 @@
# Socket creation under /data/misc/bluedroid.
allow bluetooth bluetooth_socket:sock_file create_file_perms;
-# bluetooth factory file accesses.
-r_dir_file(bluetooth, bluetooth_efs_file)
-
-allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-r_dir_file(bluetooth, sysfs_type)
-allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;
allow bluetooth self:capability2 wake_alarm;
@@ -64,9 +56,7 @@
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
-# Perform HwBinder IPC.
-hwbinder_use(bluetooth)
-binder_call(bluetooth, hal_bluetooth)
+hal_client_domain(bluetooth, hal_bluetooth)
binder_call(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth)
diff --git a/private/hal_bluetooth_default.te b/private/hal_bluetooth_default.te
index 88fd42b..4fcb322 100644
--- a/private/hal_bluetooth_default.te
+++ b/private/hal_bluetooth_default.te
@@ -1,5 +1,5 @@
type hal_bluetooth_default, domain;
-hal_impl_domain(hal_bluetooth_default, hal_bluetooth)
+hal_server_domain(hal_bluetooth_default, hal_bluetooth)
type hal_bluetooth_default_exec, exec_type, file_type;
init_daemon_domain(hal_bluetooth_default)
diff --git a/private/system_server.te b/private/system_server.te
index fa55ada..e23a33c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -181,7 +181,6 @@
# Perform HwBinder IPC.
hwbinder_use(system_server)
hwallocator_use(system_server)
-binder_call(system_server, hal_bluetooth)
binder_call(system_server, hal_boot)
binder_call(system_server, hal_contexthub)
binder_call(system_server, hal_fingerprint)