SEPolicy rules for CAN bus HAL
Bug: 135918744
Test: VTS (separate new change)
Change-Id: Idd3ca882e3bd36b95a5412bdfbf6fe9d6e911ba9
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index e4b0897..83c8eee 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -10,6 +10,8 @@
platform_compat_service
ctl_apexd_prop
device_config_sys_traced_prop
+ hal_can_bus_hwservice
+ hal_can_controller_hwservice
ota_metadata_file
runtime_apex_dir
system_ashmem_hwservice
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9259202..e22175e 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -9,6 +9,8 @@
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
+android.hardware.automotive.can::ICanController u:object_r:hal_can_controller_hwservice:s0
+android.hardware.automotive.can::ICanBus u:object_r:hal_can_bus_hwservice:s0
android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0
diff --git a/public/attributes b/public/attributes
index d296a46..1375978 100644
--- a/public/attributes
+++ b/public/attributes
@@ -251,6 +251,8 @@
hal_attribute(bufferhub);
hal_attribute(broadcastradio);
hal_attribute(camera);
+hal_attribute(can_bus);
+hal_attribute(can_controller);
hal_attribute(cas);
hal_attribute(configstore);
hal_attribute(confirmationui);
diff --git a/public/hal_can.te b/public/hal_can.te
new file mode 100644
index 0000000..c75495b
--- /dev/null
+++ b/public/hal_can.te
@@ -0,0 +1,9 @@
+# CAN controller
+binder_call(hal_can_controller_client, hal_can_controller_server)
+add_hwservice(hal_can_controller_server, hal_can_controller_hwservice)
+allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
+
+# CAN bus
+binder_call(hal_can_bus_client, hal_can_bus_server)
+add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
+allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 0f05d8a..4117878 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -3,6 +3,7 @@
neverallow {
halserverdomain
-hal_bluetooth_server
+ -hal_can_controller_server
-hal_wifi_server
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
@@ -18,6 +19,7 @@
neverallow {
halserverdomain
-hal_automotive_socket_exemption
+ -hal_can_controller_server
-hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_hostapd_server
diff --git a/public/hwservice.te b/public/hwservice.te
index 670b8b8..9f1f42c 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -13,6 +13,8 @@
type hal_bootctl_hwservice, hwservice_manager_type;
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
+type hal_can_bus_hwservice, hwservice_manager_type;
+type hal_can_controller_hwservice, hwservice_manager_type;
type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
type hal_confirmationui_hwservice, hwservice_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 85f12b2..43e149e 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,6 +4,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
new file mode 100644
index 0000000..9ee37fd
--- /dev/null
+++ b/vendor/hal_can_socketcan.te
@@ -0,0 +1,26 @@
+type hal_can_socketcan, domain;
+hal_server_domain(hal_can_socketcan, hal_can_controller)
+hal_server_domain(hal_can_socketcan, hal_can_bus)
+
+type hal_can_socketcan_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_can_socketcan)
+
+# Managing SocketCAN interfaces
+allow hal_can_socketcan self:capability net_admin;
+allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
+
+# Calling if_nametoindex(3) to open CAN sockets
+allow hal_can_socketcan self:udp_socket { create ioctl };
+allowxperm hal_can_socketcan self:udp_socket ioctl {
+ SIOCGIFINDEX
+};
+
+# Communicating with SocketCAN interfaces and bringing them up/down
+allow hal_can_socketcan self:can_socket { bind create read write ioctl };
+allowxperm hal_can_socketcan self:can_socket ioctl {
+ SIOCGIFFLAGS
+ SIOCSIFFLAGS
+};
+
+# Un-publishing ICanBus interfaces
+allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;