Find hal_foo_hwservice -> you are hal_foo_client.
Before, it was possible to access a hwservice without declaring
that you were a client.
This introduces the following macro:
hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice)
which makes sure the above implication holds using a neverallow rule.
Bug: 80319537
Test: boot + sanity
Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index dc5f6d0..664f277 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,7 +2,7 @@
binder_call(hal_keymaster_client, hal_keymaster_server)
add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
-allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_keymaster, hal_keymaster_hwservice)
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster ion_device:chr_file r_file_perms;