commit 439563f9437b364222ac03d15cf7948c1e96bdc2
author Nikita Ioffe <ioffe@google.com> Tue Dec 10 18:33:22 2024 +0000
committer Nikita Ioffe <ioffe@google.com> Thu Jan 09 02:02:05 2025 +0000
tree f302fc4c6d32a19fb5723f799ea5b948cec99c58
parent 15a8dbb7fcc5699aba3f69c6e292dc4995af8003

Add basic sepolicy for the IVmCapabilities HAL

Bug: 360102915
Test: builds
Test: presubmit
Change-Id: I1b7f73a9e3ff1ad35c318ac56667c64775de4064

private/attributes

diff --git a/private/attributes b/private/attributes
index 13479c9..0da777a 100644
--- a/private/attributes
+++ b/private/attributes
@@ -31,3 +31,7 @@
 until_board_api(202504, `
     attribute tee_service_type;
 ')
+
+until_board_api(202504, `
+    hal_attribute(vm_capabilities);
+')

private/compat/202404/202404.ignore.cil

diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 0aa0580..0af156f 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -16,6 +16,7 @@
     forensic_service
     fstype_prop
     hal_mediaquality_service
+    hal_vm_capabilities_service
     intrusion_detection_service
     media_quality_service
     proc_cgroups

private/dumpstate.te

diff --git a/private/dumpstate.te b/private/dumpstate.te
index a1c9ed3..a14454d 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -347,6 +347,7 @@
 dump_hal(hal_sensors)
 dump_hal(hal_thermal)
 dump_hal(hal_vehicle)
+dump_hal(hal_vm_capabilities)
 dump_hal(hal_weaver)
 dump_hal(hal_wifi)
 

private/hal_vm_capabilities.te

diff --git a/private/hal_vm_capabilities.te b/private/hal_vm_capabilities.te
new file mode 100644
index 0000000..3197784
--- /dev/null
+++ b/private/hal_vm_capabilities.te
@@ -0,0 +1,9 @@
+# Domain for the VM capability HAL, which is used to allow some pVMs to issue
+# vendor-specific SMCs.
+
+binder_call(hal_vm_capabilities_client, hal_vm_capabilities_server)
+
+hal_attribute_service(hal_vm_capabilities, hal_vm_capabilities_service)
+
+binder_use(hal_vm_capabilities_client)
+binder_use(hal_vm_capabilities_server)

private/service.te

diff --git a/private/service.te b/private/service.te
index ce648c2..7a2153b 100644
--- a/private/service.te
+++ b/private/service.te
@@ -69,6 +69,10 @@
     type ranging_service, app_api_service, system_server_service, service_manager_type;
 ')
 
+until_board_api(202504, `
+    type hal_vm_capabilities_service, protected_service, hal_service_type, service_manager_type;
+')
+
 ###
 ### Neverallow rules
 ###

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index e2998c7..cd1231e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -138,6 +138,8 @@
 android.hardware.secure_element.ISecureElement/SIM3                  u:object_r:hal_secure_element_service:s0
 android.hardware.security.secretkeeper.ISecretkeeper/default         u:object_r:hal_secretkeeper_service:s0
 android.hardware.security.secretkeeper.ISecretkeeper/nonsecure       u:object_r:hal_secretkeeper_service:s0
+android.hardware.virtualization.capabilities.IVmCapabilitiesService/default u:object_r:hal_vm_capabilities_service:s0
+android.hardware.virtualization.capabilities.IVmCapabilitiesService/noop u:object_r:hal_vm_capabilities_service:s0
 android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
 android.system.net.netd.INetd/default                                u:object_r:system_net_netd_service:s0
 android.system.suspend.ISystemSuspend/default                        u:object_r:hal_system_suspend_service:s0

private/su.te

diff --git a/private/su.te b/private/su.te
index 1e2adef..247fd0b 100644
--- a/private/su.te
+++ b/private/su.te
@@ -127,6 +127,7 @@
   typeattribute su hal_tv_tuner_client;
   typeattribute su hal_usb_client;
   typeattribute su hal_vibrator_client;
+  typeattribute su hal_vm_capabilities_client;
   typeattribute su hal_vr_client;
   typeattribute su hal_weaver_client;
   typeattribute su hal_wifi_client;