commit c447b9b09ce864bf96af8ae3824eeac182f97b83
author Tianjie <xunchang@google.com> Wed Dec 30 13:07:01 2020 -0800
committer Tianjie <xunchang@google.com> Sat Jan 16 19:18:05 2021 -0800
tree 717585ff46fb8128fe0e38b87c40463253c9f3b7
parent fbe18136feeea4d5d6e00ac91b01df895fdd45b9

Make system server a client of boot control HAL

To support multi-client resume on reboot, the recovery system
service want to query the active boot slot on the next boot; and
abort the reboot if the active slot is different from clients'
expectation.

Denial:
SELinux : avc:  denied  { find } for interface=android.hardware.boot::IBootControl
sid=u:r:system_server:s0 pid=1700 scontext=u:r:system_server:s0
tcontext=u:object_r:hal_bootctl_hwservice:s0 tclass=hwservice_manager permissive=1

Bug: 173808057
Test: adb shell cmd recovery reboot-and-apply ota reason
Change-Id: I6a303d8dcbae89a2287d96ae3116109e2a43bbd6

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 69e04d9..ca2d862 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -260,6 +260,10 @@
 hal_client_domain(system_server, hal_wifi)
 hal_client_domain(system_server, hal_wifi_hostapd)
 hal_client_domain(system_server, hal_wifi_supplicant)
+# The bootctl is a pass through HAL mode under recovery mode. So we skip the
+# permission for recovery in order not to give system server the access to
+# the low level block devices.
+not_recovery(`hal_client_domain(system_server, hal_bootctl)')
 
 # Talk with graphics composer fences
 allow system_server hal_graphics_composer:fd use;