Add sepolicies for CPU HAL.
Change-Id: Ia091bf8f597a25351b5ee33b2c2afc982f175d51
Test: Ran `m; emulator; adb logcat -b all -d > logcat.txt;`
and verified CPU HAL is running without any sepolicy violation.
Bug: 252883241
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 34fad7f..6e63dda 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -43,6 +43,7 @@
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
"android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
"android.hardware.contexthub.IContextHub/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.cpu.monitor.IMonitor/default": EXCEPTION_NO_FUZZER,
"android.hardware.drm.IDrmFactory/clearkey": EXCEPTION_NO_FUZZER,
"android.hardware.drm.ICryptoFactory/clearkey": EXCEPTION_NO_FUZZER,
"android.hardware.dumpstate.IDumpstateDevice/default": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index a58129e..1bb5557 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -13,6 +13,8 @@
devicelock_service
hal_bootctl_service
hal_cas_service
+ hal_cpu_hwservice
+ hal_cpu_service
hal_remoteaccess_service
hal_thermal_service
hal_usb_gadget_service
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 4a44dc5..c87a792 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -27,6 +27,7 @@
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
+android.hardware.cpu.monitor::IMonitor u:object_r:hal_cpu_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
diff --git a/private/service_contexts b/private/service_contexts
index 2b9e88f..2e2e7b2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -21,6 +21,7 @@
android.hardware.cas.IMediaCasService/default u:object_r:hal_cas_service:s0
android.hardware.confirmationui.IConfirmationUI/default u:object_r:hal_confirmationui_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
+android.hardware.cpu.monitor.IMonitor/default u:object_r:hal_cpu_service:s0
android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 9d1f97f..e8395ed 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -310,6 +310,7 @@
hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_cpu)
hal_client_domain(system_server, hal_face)
hal_client_domain(system_server, hal_fingerprint)
hal_client_domain(system_server, hal_gnss)
@@ -391,6 +392,7 @@
hal_bluetooth_server
hal_camera_server
hal_codec2_server
+ hal_cpu_server
hal_face_server
hal_fingerprint_server
hal_gnss_server
diff --git a/public/attributes b/public/attributes
index 121adc0..d462c09 100644
--- a/public/attributes
+++ b/public/attributes
@@ -333,6 +333,7 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
+hal_attribute(cpu);
hal_attribute(dice);
hal_attribute(drm);
hal_attribute(dumpstate);
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0864ee0..ea973fe 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -81,6 +81,7 @@
hal_broadcastradio_server
hal_camera_server
hal_codec2_server
+ hal_cpu_server
hal_drm_server
hal_evs_server
hal_face_server
@@ -150,6 +151,7 @@
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_authsecret)
dump_hal(hal_contexthub)
+dump_hal(hal_cpu)
dump_hal(hal_drm)
dump_hal(hal_dumpstate)
dump_hal(hal_face)
diff --git a/public/hal_cpu.te b/public/hal_cpu.te
new file mode 100644
index 0000000..4bf7e12
--- /dev/null
+++ b/public/hal_cpu.te
@@ -0,0 +1,9 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_cpu_client, hal_cpu_server)
+binder_call(hal_cpu_server, hal_cpu_client)
+
+hal_attribute_hwservice(hal_cpu, hal_cpu_hwservice)
+hal_attribute_service(hal_cpu, hal_cpu_service)
+
+binder_call(hal_cpu_server, servicemanager)
+binder_call(hal_cpu_client, servicemanager)
diff --git a/public/hwservice.te b/public/hwservice.te
index 11b77f0..574702f 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -19,6 +19,7 @@
type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_cpu_hwservice, hwservice_manager_type, protected_hwservice;
type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/public/service.te b/public/service.te
index db7c298..fefdbd6 100644
--- a/public/service.te
+++ b/public/service.te
@@ -276,6 +276,7 @@
type hal_cas_service, hal_service_type, service_manager_type;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
+type hal_cpu_service, protected_service, hal_service_type, service_manager_type;
type hal_dice_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 730c1e0..74c386e 100644
--- a/public/su.te
+++ b/public/su.te
@@ -72,6 +72,7 @@
typeattribute su hal_configstore_client;
typeattribute su hal_confirmationui_client;
typeattribute su hal_contexthub_client;
+ typeattribute su hal_cpu_client;
typeattribute su hal_drm_client;
typeattribute su hal_cas_client;
typeattribute su hal_dumpstate_client;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5681054..bd93f37 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -35,6 +35,7 @@
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cpu\.monitor-service\.example u:object_r:hal_cpu_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service(-lazy)?\.clearkey u:object_r:hal_drm_clearkey_aidl_exec:s0
diff --git a/vendor/hal_cpu_default.te b/vendor/hal_cpu_default.te
new file mode 100644
index 0000000..bda2e31
--- /dev/null
+++ b/vendor/hal_cpu_default.te
@@ -0,0 +1,11 @@
+type hal_cpu_default, domain;
+hal_server_domain(hal_cpu_default, hal_cpu)
+
+type hal_cpu_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_cpu_default)
+
+# Allow reading /proc/stat
+allow hal_cpu_default proc_stat:file r_file_perms;
+
+# Allow reading cpuset information
+allow hal_cpu_default cgroup:dir r_dir_perms;