From dfdaceabf2be554f02ec2afa0d824afa0da136b4 Mon Sep 17 00:00:00 2001
From: Brian Duddie <bduddie@google.com>
Date: Tue, 28 Mar 2017 16:55:08 -0700
Subject: [PATCH] Add binderized context hub HAL

Add context hub HAL implementation to the build, with new sepolicy files
that resolve these denials:

type=1400 audit(4779207.059:418): avc: denied { write } for pid=809
comm="android.hardwar" name="chre" dev="tmpfs" ino=32491
scontext=u:r:hal_contexthub_default:s0
tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=1

type=1400 audit(5568590.159:45): avc: denied { connectto } for pid=734
comm="android.hardwar" path="/dev/socket/chre"
scontext=u:r:hal_contexthub_default:s0 tcontext=u:r:chre:s0
tclass=unix_stream_socket permissive=1

Bug: 35808469
Test: confirm HAL gets loaded, VTS passes, no denials from
      hal_contexthub_default
Change-Id: I1882571c0541de78242755cd4b3b1548365a388b
---
 device.mk                  | 5 +++++
 manifest.xml               | 6 ++++++
 sepolicy/file.te           | 1 +
 sepolicy/file_contexts     | 1 +
 sepolicy/hal_contexthub.te | 3 +++
 5 files changed, 16 insertions(+)
 create mode 100644 sepolicy/hal_contexthub.te

diff --git a/device.mk b/device.mk
index e62533b9..3b645a9d 100644
--- a/device.mk
+++ b/device.mk
@@ -301,6 +301,11 @@ PRODUCT_PACKAGES += \
     fs_config_dirs \
     fs_config_files
 
+# Context hub HAL
+PRODUCT_PACKAGES += \
+    android.hardware.contexthub@1.0-impl.generic \
+    android.hardware.contexthub@1.0-service
+
 # Boot control HAL
 PRODUCT_PACKAGES += \
     android.hardware.boot@1.0-impl \
diff --git a/manifest.xml b/manifest.xml
index 3976cdef..ac94159f 100644
--- a/manifest.xml
+++ b/manifest.xml
@@ -37,6 +37,12 @@
             <instance>legacy/0</instance>
         </interface>
     </hal>
+    <hal format="hidl">
+        <name>android.hardware.contexthub</name>
+        <transport>hwbinder</transport>
+        <impl level="generic"></impl>
+        <version>1.0</version>
+    </hal>
     <hal format="hidl">
         <name>android.hardware.graphics.allocator</name>
         <transport>hwbinder</transport>
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 1faab618..c671e7ea 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -24,6 +24,7 @@ type perfd_socket, file_type;
 
 type ims_socket, file_type;
 type cnd_socket, file_type;
+type chre_socket, file_type;
 
 type firmware_file, fs_type, contextmount_type;
 
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 50bbb489..cf9dd598 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -34,6 +34,7 @@
 /dev/easelcomm-client                           u:object_r:easel_device:s0
 
 # dev socket nodes
+/dev/socket/chre                                u:object_r:chre_socket:s0
 /dev/socket/qmux_audio(/.*)?                    u:object_r:qmuxd_socket:s0
 /dev/socket/qmux_bluetooth(/.*)?                u:object_r:qmuxd_socket:s0
 /dev/socket/qmux_gps(/.*)?                      u:object_r:qmuxd_socket:s0
diff --git a/sepolicy/hal_contexthub.te b/sepolicy/hal_contexthub.te
new file mode 100644
index 00000000..10c5d53d
--- /dev/null
+++ b/sepolicy/hal_contexthub.te
@@ -0,0 +1,3 @@
+# Allow context hub HAL to communicate with daemon via socket
+allow hal_contexthub_default chre:unix_stream_socket connectto;
+allow hal_contexthub_default chre_socket:sock_file write;