sepolicy: move and guard access to power HAL

On devices with prebuilt vendor, if the power HAL accesses input device nodes to support DT2W related feature, the resulting sepolicy may trigger following neverallow in system/sepolicy/public/app.te: neverallow { appdomain -shell # bugreport } input_device:chr_file ~getattr; Since the vendor image and the vendor sepolicy are prebuilt, power HAL sepolicy on such devices is often written in the following fashion: allow hal_power input_device:dir search; allow hal_power input_device:chr_file rw_file_perms; This combined with the flipendo/turbo_adapter sepolicy will give the app(s) direct access to input device nodes, thus triggering the neverallow. Considering that flipendo and turbo_adapter's access to power HAL is not critical, guard the sepolicy to allow opting out. Signed-off-by: Chenyang Zhong <[email protected]> Change-Id: Iac02247e2b0ac5ba5f3f464bd0b21ef41b99693b Signed-off-by: Chenyang Zhong <[email protected]> Signed-off-by: Anushek Prasal <[email protected]>
Havoc-OS · Aug 25, 2023 · b0d8acc · b0d8acc
1 parent 36d5ac6
commit b0d8acc
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 6 deletions.
diff --git a/common/dynamic/flipendo.te b/common/dynamic/flipendo.te
@@ -23,6 +23,3 @@ allow flipendo fwk_stats_hwservice:hwservice_manager find;
 
 # Allow flipendo to find color_display_service
 allow flipendo color_display_service:service_manager find;
-
-# Allow flipendo to find hal_power_service
-hal_client_domain(flipendo, hal_power);
diff --git a/common/dynamic/turbo_adapter.te b/common/dynamic/turbo_adapter.te
@@ -8,6 +8,3 @@ app_domain(turbo_adapter)
 
 # To use ServiceManager
 allow turbo_adapter app_api_service:service_manager find;
-
-# To find and call hal_power_default so turbo can obtain the service extension (IPowerExt)
-hal_client_domain(turbo_adapter, hal_power)
diff --git a/common/dynamic_extra/flipendo.te b/common/dynamic_extra/flipendo.te
@@ -0,0 +1,2 @@
+# Access to PowerHal service
+hal_client_domain(flipendo, hal_power);
diff --git a/common/dynamic_extra/turbo_adapter.te b/common/dynamic_extra/turbo_adapter.te
@@ -0,0 +1,2 @@
+# To find and call hal_power_default so turbo can obtain the service extension (IPowerExt)
+hal_client_domain(turbo_adapter, hal_power)
diff --git a/common/sepolicy.mk b/common/sepolicy.mk
@@ -25,9 +25,15 @@ ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true)
 SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
     device/lineage/sepolicy/common/dynamic \
     device/lineage/sepolicy/common/system
+
+ifneq ($(TARGET_HAL_POWER_RW_INPUT_DEVICE), true)
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
+    device/lineage/sepolicy/common/dynamic_extra
+endif
 else
 BOARD_VENDOR_SEPOLICY_DIRS += \
     device/lineage/sepolicy/common/dynamic \
+    device/lineage/sepolicy/common/dynamic_extra \
     device/lineage/sepolicy/common/vendor
 endif
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Access to PowerHal service
		hal_client_domain(flipendo, hal_power);
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# To find and call hal_power_default so turbo can obtain the service extension (IPowerExt)
		hal_client_domain(turbo_adapter, hal_power)