android 系统（13）---Android O treble 新增hal hwservice selinux policy

 

EX: vendor.mediatek.hardware.xxxxxx

 
1.hwservice.te
type mtk_hal_xxx_hwservice, hwservice_manager_type;

2-1.hwservice_contexts
vendor.mediatek.hardware.xxx::IXXX u:object_r:mtk_hal_xxx_hwservice:s0

2-2.file_contexts 
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.xxx@1\.1-service u:object_r:mtk_hal_xxx_exec:s0

3.mtk_hal_xxx.te
type mtk_hal_xxx, domain;                                # Set a new domain called mtk_hal_xxx
hal_server_domain(mtk_hal_xxx, hal_xxx)   # Set your domain as server domain of hal_xxx in which define by AOSP already
type mtk_hal_xxx_exec, exec_type, file_type, vendor_file_type;   # Set your exec file type
init_daemon_domain(mtk_hal_xxx)                # Setup for domain transition
#Every mtk_hal_xxx.te should follow as above, this is basic policy for every hal domain
add_hwservice(hal_xxx_server, mtk_hal_xxx_hwservice) # Associate your defined mtk hal hwservice with all server domain, in this case it is your domain
allow hal_xxx_client mtk_hal_xxx_hwservice :hwservice_manager find; #Give permission for your xxx hal client to find your new defined hwservice

#add your additional policy here

 

 

案例（mtk_hal_power）

1.
/device/mediatek/sepolicy/basic/non_plat/hwservice.te 
type mtk_hal_power_hwservice, hwservice_manager_type;

2.
/device/mediatek/sepolicy/basic/non_plat/hwservice_contexts 
vendor.mediatek.hardware.power::IPower u:object_r:mtk_hal_power_hwservice:s0 

/device/mediatek/sepolicy/basic/non_plat/file_contexts 
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.power@1\.1-service u:object_r:mtk_hal_power_exec:s0


3.
/device/mediatek/sepolicy/basic/non_plat/mtk_hal_power.te

type mtk_hal_power, domain;                          # Set a new domain called mtk_hal_xxx
type mtk_hal_power_exec, exec_type, file_type, vendor_file_type; # Set your exec file type

# hwbinder access
init_daemon_domain(mtk_hal_power)              # Setup for domain transition
hwbinder_use(mtk_hal_power);

allow mtk_hal_power hwservicemanager_prop:file r_file_perms;
allow mtk_hal_power hal_power_hwservice:hwservice_manager { add find };
allow mtk_hal_power hidl_base_hwservice:hwservice_manager add;

add_hwservice(hal_power, mtk_hal_power_hwservice)# Associate your defined mtk hal hwservice with all server domain, in this case it is your domain
allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find;#Give permission for your xxx hal client to find your new defined hwservice

hal_server_domain(mtk_hal_power, hal_power); # Set your domain as server domain of hal_xxx in which define by AOSP already

...