Merge "Enforce one HAL per domain."
diff --git a/private/app.te b/private/app.te
index 1b1f4ca..04be106 100644
--- a/private/app.te
+++ b/private/app.te
@@ -246,6 +246,9 @@
# Allow app to access the graphic allocator HAL
binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
+# App can access configstore HAL which is read only
+binder_call({ appdomain -isolated_app }, hal_configstore)
+
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
diff --git a/private/file_contexts b/private/file_contexts
index 1e7345a..94a2a53 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -247,7 +247,7 @@
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_exec:s0
+/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
#############################
# Vendor files
diff --git a/private/hal_allocator.te b/private/hal_allocator.te
deleted file mode 100644
index d185d49..0000000
--- a/private/hal_allocator.te
+++ /dev/null
@@ -1 +0,0 @@
-init_daemon_domain(hal_allocator)
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
new file mode 100644
index 0000000..ff407d5
--- /dev/null
+++ b/private/hal_allocator_default.te
@@ -0,0 +1,5 @@
+type hal_allocator_default, domain;
+hal_server_domain(hal_allocator_default, hal_allocator)
+
+type hal_allocator_default_exec, exec_type, file_type;
+init_daemon_domain(hal_allocator_default)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 0aff9f5..3808c83 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -9,7 +9,6 @@
# Perform HwBinder IPC.
hwbinder_use(surfaceflinger)
-binder_call(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
diff --git a/public/attributes b/public/attributes
index 799a4fd..b9360a6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -121,6 +121,9 @@
attribute halclientdomain;
# HALs
+attribute hal_allocator;
+attribute hal_allocator_client;
+attribute hal_allocator_server;
attribute hal_audio;
attribute hal_audio_client;
attribute hal_audio_server;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index f2364a7..a75524d 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -5,9 +5,11 @@
binder_use(cameraserver)
binder_call(cameraserver, binderservicedomain)
binder_call(cameraserver, appdomain)
+binder_call(cameraserver, hal_graphics_allocator)
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
+hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
deleted file mode 100644
index cab0145..0000000
--- a/public/hal_allocator.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# allocator subsystem
-type hal_allocator, domain;
-hal_impl_domain(hal_allocator)
-
-type hal_allocator_exec, exec_type, file_type;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 6ed06b7..b05239b 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -16,7 +16,7 @@
# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
allow hal_camera { appdomain -isolated_app }:fd use;
allow hal_camera surfaceflinger:fd use;
-allow hal_camera hal_allocator:fd use;
+allow hal_camera hal_allocator_server:fd use;
###
### neverallow rules
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 45999be..e434751 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,3 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/te_macros b/public/te_macros
index 97dd948..60de568 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -338,7 +338,7 @@
# Allow a domain to use Hidl shared memory
define(`hwallocator_use', `
# Call into the allocator hal
-binder_call($1, hal_allocator);
+binder_call($1, hal_allocator_server);
')
#####################################