commit 23e0a7f23ac7a33a877781a642e243fb215f6a76
author Jeff Vander Stoep <jeffv@google.com> Fri Jun 23 08:40:16 2017 -0700
committer Jeff Vander Stoep <jeffv@google.com> Fri Jun 23 11:20:20 2017 -0700
tree beffc332f0e1d9686967149ffa80678bbc342599
parent eb5542a1783816fe6084a9fafb7371dbf2c574ff

system_server is a client of configstore

avc:  denied  { find } for
interface=android.hardware.configstore::ISurfaceFlingerConfigs
scontext=u:r:system_server:s0
tcontext=u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
tclass=hwservice_manager permissive=0

Bug: 35197529
Test: Device boots without this denial
Change-Id: Ia43bc5879e03a1f2056e373b17cc6533636f98b1

private/app.te

diff --git a/private/app.te b/private/app.te
index 25dbdb7..bbd4b92 100644
--- a/private/app.te
+++ b/private/app.te
@@ -69,9 +69,6 @@
 # Communicate with surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
-# Query whether a Surface supports wide color
-allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-
 # App sandbox file accesses.
 allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
 allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;

private/surfaceflinger.te

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 3595ee4..b33035e 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -14,7 +14,6 @@
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 hal_client_domain(surfaceflinger, hal_configstore)
-allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
 allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
 
 # Perform Binder IPC.

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 99dc663..3c3f82d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -177,6 +177,7 @@
 
 # Use HALs
 hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)
 hal_client_domain(system_server, hal_gnss)

public/hal_configstore.te

diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 4bf6cfd..66a168e 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,6 +1,8 @@
 # HwBinder IPC from client to server
 binder_call(hal_configstore_client, hal_configstore_server)
 
+allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
 add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
 # As opposed to the rules of most other HALs, the different services exposed by
 # this HAL should be restricted to different clients. Thus, the allow rules for