Add vehicle_binding_util SELinux context
Adds required context for 'vehicle_binding_util' to 'vold' interactions.
The vehicle_binding_util actually fork/execvp vdc.
And vdc will call vold to set the binding seed value.
Test: manual 'make'
Bug: 157501579
Change-Id: I5194c9cd0f5a910b1309b547aabf66bb9c397738
diff --git a/private/file_contexts b/private/file_contexts
index d34f64f..2ac0981 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -370,6 +370,7 @@
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
+/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
#############################
# Vendor files
diff --git a/private/vdc.te b/private/vdc.te
index bc7409e..63c9c2a 100644
--- a/private/vdc.te
+++ b/private/vdc.te
@@ -1,3 +1,6 @@
typeattribute vdc coredomain;
init_daemon_domain(vdc)
+
+# Allow stdin/out back to vehicle_binding_util
+allow vdc vehicle_binding_util:fd use;
diff --git a/private/vehicle_binding_util.te b/private/vehicle_binding_util.te
new file mode 100644
index 0000000..76d0756
--- /dev/null
+++ b/private/vehicle_binding_util.te
@@ -0,0 +1,20 @@
+# vehicle binding util startup application
+type vehicle_binding_util, domain, coredomain;
+
+# allow init to start vehicle_binding_util
+type vehicle_binding_util_exec, exec_type, file_type, system_file_type;
+init_daemon_domain(vehicle_binding_util)
+
+# allow writing to kmsg during boot
+allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms };
+
+# allow reading the binding property from vhal
+hwbinder_use(vehicle_binding_util)
+hal_client_domain(vehicle_binding_util, hal_vehicle)
+
+# allow executing vdc
+domain_auto_trans(vehicle_binding_util, vdc_exec, vdc)
+
+# devpts is needed to redirect output from vdc
+allow vehicle_binding_util devpts:chr_file rw_file_perms;
+