Make AIDL HAL client attribute an exclusive client. Like HIDL HALs, if we have a service which is allowed to access hal_<foo>_service, we want that service to have the attribute hal_<foo>_client. Unlike HIDL HALs, some AIDL services are allowed to get ahold of all HALs, so these have to be exempted from this check. Fixes: 168152053 Test: neverallows pass Change-Id: I4bce6d9441c2921c3ea40f2b01fef4030c02a28a

commit: 82f7900341a0a5528bb7fa0bc3cdc0d6dcf27ea0 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Thu Sep 10 22:57:51 2020 +0000
committer: Ilya Matyukhin <ilyamaty@google.com> Fri Sep 11 00:02:00 2020 +0000
tree: a542b753f1bf0910a6184133f136c12c5012230d
parent: c71c2993e925165a56cb2fec75a98ea3a4c14e78 [diff] [blame]
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 929f120..99b6065 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te

@@ -3,12 +3,10 @@
 binder_call(hal_fingerprint_server, hal_fingerprint_client)
 
 hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
+hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
 
-add_service(hal_fingerprint_server, hal_fingerprint_service)
 binder_call(hal_fingerprint_server, servicemanager)
 
-allow hal_fingerprint_client hal_fingerprint_service:service_manager find;
-
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;
commit	82f7900341a0a5528bb7fa0bc3cdc0d6dcf27ea0	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Thu Sep 10 22:57:51 2020 +0000
committer	Ilya Matyukhin <ilyamaty@google.com>	Fri Sep 11 00:02:00 2020 +0000
tree	a542b753f1bf0910a6184133f136c12c5012230d
parent	c71c2993e925165a56cb2fec75a98ea3a4c14e78 [diff] [blame]