Remove hal_gatekeeper from gatekeeperd domain
HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.
This partially reverts the moving of rules out of gatekeeperd in
commit a9ce208680b3a9c1ddcf9bfce886909b66297964.
Test: Set up PIN-protected secure lock screen, unlock screen, reboot,
unlock. No SELinux denials in gatekeeperd or hal_gatekeeper*.
Bug: 34715716
Change-Id: If87c865461580ff861e7e228a96d315d319e1765
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index e842cd2..94fb2b9 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -1,18 +1,26 @@
type gatekeeperd, domain;
-# normally uses HAL; implements HAL in pass-through mode only
-hal_impl_domain(gatekeeperd, hal_gatekeeper)
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd
binder_service(gatekeeperd)
binder_use(gatekeeperd)
+### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
+### These rules should eventually be granted only when needed.
+allow gatekeeperd tee_device:chr_file rw_file_perms;
+allow gatekeeperd ion_device:chr_file r_file_perms;
+# Load HAL implementation
+allow gatekeeperd system_file:dir r_dir_perms;
+###
+
+### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
+### These rules should eventually be granted only when needed.
+hwbinder_use(gatekeeperd)
+###
+
# need to find KeyStore and add self
add_service(gatekeeperd, gatekeeper_service)
-# Scan through /system/lib64/hw looking for installed HALs
-allow gatekeeperd system_file:dir r_dir_perms;
-
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };