6.hal服务sepolicy 以sensor hal为例

以sensor为例

1. system/sepolicy/public/attributes
   hal_attribute(sensors);

2. system/sepolicy/vendor/file_contexts

/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0

3. system/sepolicy/vendor/hal_sensors_default.te

   #定义名为hal_sensosde type  关联到domain属性，system分区必须加coredomain 
   type hal_sensors_default, domain;
   # 把hal_sensors_default 设置为hal_sensors的server domain hal_sensors在hal_sensors中定义
   hal_server_domain(hal_sensors_default, hal_sensors)
   # 定义hal_sensors_default_exec  具有exec_type, vendor_file_type, file_type;属性
   type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
   # 令domain从init转换到hal_sensos_default,使之可以执行 hal daemon 进程启动的二进制文件
   init_daemon_domain(hal_sensors_default)
   
   allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
   
   allow hal_sensors_default input_device:dir r_dir_perms;
   allow hal_sensors_default input_device:chr_file r_file_perms;
   
   # Allow sensor hals to access and use gralloc memory allocated by
   # android.hardware.graphics.allocator
   allow hal_sensors_default hal_graphics_allocator_default:fd use;
   allow hal_sensors_default ion_device:chr_file r_file_perms;
   allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
   
   # allow sensor hal to use lock for keeping system awake for wake up
   # events delivery.
   wakelock_use(hal_sensors_default);
   
   # allow sensor hal to use ashmem fd from system_server.
   allow hal_sensors_default system_server:fd use;
   

4. system/sepolicy/public/hal_sensors.te

   # HwBinder IPC from client to server
   binder_call(hal_sensors_client, hal_sensors_server)
   
   hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice)
   
   # Allow sensor hals to access ashmem memory allocated by apps
   allow hal_sensors { appdomain -isolated_app }:fd use;
   
   # Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
   # fd is passed in from framework sensorservice HAL.
   allow hal_sensors hal_allocator:fd use;
   
   # allow to run with real-time scheduling policy
   allow hal_sensors self:global_capability_class_set sys_nice;
   
   add_service(hal_sensors_server, hal_sensors_service)
   binder_call(hal_sensors_server, servicemanager)
   
   allow hal_sensors_client hal_sensors_service:service_manager find;
   

5. system/sepolicy/private/service_contexts

   android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0

6. system/sepolicy/public/service.te

   type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

• 查看安全上下文
  • ps -AZ
  • ls -Z

https://source.android.com/docs/core/architecture/aidl/aidl-hals#sepolicy

    public/attributes:
    // define hal_foo, hal_foo_client, hal_foo_server
    hal_attribute(foo)

    public/service.te
    // define hal_foo_service
    type hal_foo_service, hal_service_type, protected_service, service_manager_type

    public/hal_foo.te:
    // allow binder connection from client to server
    binder_call(hal_foo_client, hal_foo_server)
    // allow client to find the service, allow server to register the service
    hal_attribute_service(hal_foo, hal_foo_service)
    // allow binder communication from server to service_manager
    binder_use(hal_foo_server)

    private/service_contexts:
    // bind an AIDL service name to the selinux type
    android.hardware.foo.IFooXxxx/default u:object_r:hal_foo_service:s0

    private/<some_domain>.te:
    // let this domain use the hal service
    binder_use(some_domain)
    hal_client_domain(some_domain, hal_foo)

    vendor/<some_hal_server_domain>.te
    // let this domain serve the hal service
    hal_server_domain(some_hal_server_domain, hal_foo)