Merge "Switch Keymaster HAL policy to _client/_server"
diff --git a/public/attributes b/public/attributes
index d418375..55f87ca 100644
--- a/public/attributes
+++ b/public/attributes
@@ -150,6 +150,8 @@
attribute hal_health;
attribute hal_ir;
attribute hal_keymaster;
+attribute hal_keymaster_client;
+attribute hal_keymaster_server;
attribute hal_light;
attribute hal_memtrack;
attribute hal_nfc;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index a3aef59..d50812c 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,5 +1,5 @@
-# hwbinder access
-hwbinder_use(hal_keymaster)
+# HwBinder IPC from client to server
+binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster tee:unix_stream_socket connectto;
diff --git a/public/keystore.te b/public/keystore.te
index ec6d192..55cafc5 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -8,14 +8,11 @@
binder_call(keystore, system_server)
# talk to keymaster
-binder_call(keystore, hwservicemanager)
-binder_call(keystore, hal_keymaster)
+hal_client_domain(keystore, hal_keymaster)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file rw_file_perms;
-allow keystore tee:unix_stream_socket connectto;
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
@@ -23,9 +20,7 @@
# Check SELinux permissions.
selinux_check_access(keystore)
-allow keystore ion_device:chr_file r_file_perms;
r_dir_file(keystore, cgroup)
-allow keystore system_file:dir r_dir_perms;
###
### Neverallow rules
diff --git a/public/vold.te b/public/vold.te
index 0e4eddc..cda6424 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -27,7 +27,6 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
-allow vold system_file:dir r_dir_perms;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;
@@ -87,8 +86,6 @@
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
-allow vold ion_device:chr_file r_file_perms;
-
#
# Rules to support encrypted fs support.
#
@@ -131,9 +128,7 @@
binder_call(vold, healthd)
# talk to keymaster
-binder_call(vold, hwservicemanager)
-binder_call(vold, hal_keymaster)
-allow vold tee_device:chr_file rw_file_perms;
+hal_client_domain(vold, hal_keymaster)
# Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms;
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 4c6d0d2..32df262 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -1,5 +1,5 @@
type hal_keymaster_default, domain;
-hal_impl_domain(hal_keymaster_default, hal_keymaster)
+hal_server_domain(hal_keymaster_default, hal_keymaster)
type hal_keymaster_default_exec, exec_type, file_type;
init_daemon_domain(hal_keymaster_default)