Make AIDL HAL client attribute an exclusive client. Like HIDL HALs, if we have a service which is allowed to access hal_<foo>_service, we want that service to have the attribute hal_<foo>_client. Unlike HIDL HALs, some AIDL services are allowed to get ahold of all HALs, so these have to be exempted from this check. Fixes: 168152053 Test: neverallows pass Change-Id: I4bce6d9441c2921c3ea40f2b01fef4030c02a28a

commit: 82f7900341a0a5528bb7fa0bc3cdc0d6dcf27ea0 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Thu Sep 10 22:57:51 2020 +0000
committer: Ilya Matyukhin <ilyamaty@google.com> Fri Sep 11 00:02:00 2020 +0000
tree: a542b753f1bf0910a6184133f136c12c5012230d
parent: c71c2993e925165a56cb2fec75a98ea3a4c14e78 [diff] [blame]
diff --git a/public/hal_light.te b/public/hal_light.te
index 4aa824a..40829b6 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te

@@ -3,13 +3,9 @@
 binder_call(hal_light_server, hal_light_client)
 
 hal_attribute_hwservice(hal_light, hal_light_hwservice)
+hal_attribute_service(hal_light, hal_light_service)
 
-# server adds itself via service_manager
-add_service(hal_light_server, hal_light_service)
 binder_call(hal_light_server, servicemanager)
-
-# client finds and uses server via service_manager
-allow hal_light_client hal_light_service:service_manager find;
 binder_use(hal_light_client)
 
 allow hal_light_server dumpstate:fifo_file write;
commit	82f7900341a0a5528bb7fa0bc3cdc0d6dcf27ea0	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Thu Sep 10 22:57:51 2020 +0000
committer	Ilya Matyukhin <ilyamaty@google.com>	Fri Sep 11 00:02:00 2020 +0000
tree	a542b753f1bf0910a6184133f136c12c5012230d
parent	c71c2993e925165a56cb2fec75a98ea3a4c14e78 [diff] [blame]