Find hal_foo_hwservice -> you are hal_foo_client. Before, it was possible to access a hwservice without declaring that you were a client. This introduces the following macro: hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice) which makes sure the above implication holds using a neverallow rule. Bug: 80319537 Test: boot + sanity Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6

commit: 8fc79818854dffd133d2e40358a33cdd84f4d511 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Wed May 30 16:43:17 2018 -0700
committer: Steven Moreland <smoreland@google.com> Wed May 30 16:46:57 2018 -0700
tree: 2dbbfb7b44568ca13e081f612cd411679ce8f86b
parent: 7baf725ea63c9db5a360ba3d4516c30e2ad18d4a [diff] [blame]
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 123acf5..0ff8f08 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te

@@ -1,7 +1,7 @@
 binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
 
 add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
-allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_gatekeeper, hal_gatekeeper_hwservice)
 
 # TEE access.
 allow hal_gatekeeper tee_device:chr_file rw_file_perms;
commit	8fc79818854dffd133d2e40358a33cdd84f4d511	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Wed May 30 16:43:17 2018 -0700
committer	Steven Moreland <smoreland@google.com>	Wed May 30 16:46:57 2018 -0700
tree	2dbbfb7b44568ca13e081f612cd411679ce8f86b
parent	7baf725ea63c9db5a360ba3d4516c30e2ad18d4a [diff] [blame]