sepolicy: bridge oemlock hal and bootctl HAL

Enable the oemlock-bridge to provide access to a reserved region in misc used by bootctl and the vendor bootloader. Test: oemlock hal integration tests work with oemlock-bridge and the oemlock hal service running. Bug: 62052545 Change-Id: I19c311917ccb95846e2136e858f2b862fe5390bb
2026-02-01 07:50:47 +00:00 · 2017-05-25 14:03:55 -05:00
parent b959e44a49
commit eb483f8f0a
4 changed files with 10 additions and 3 deletions
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -32,6 +32,7 @@ type perfd_socket, file_type;
 type ims_socket, file_type;
 type cnd_socket, file_type;
 type chre_socket, file_type;
+type hal_bootctl_socket, file_type;

 type firmware_file, fs_type, contextmount_type;

--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -39,6 +39,7 @@

 # dev socket nodes
 /dev/socket/chre                                u:object_r:chre_socket:s0
+/dev/socket/oemlock                             u:object_r:hal_bootctl_socket:s0
 /dev/socket/qmux_audio(/.*)?                    u:object_r:qmuxd_socket:s0
 /dev/socket/qmux_bluetooth(/.*)?                u:object_r:qmuxd_socket:s0
 /dev/socket/qmux_gps(/.*)?                      u:object_r:qmuxd_socket:s0
@@ -215,6 +216,8 @@
 /vendor/bin/ese-replay          u:object_r:esed_exec:s0
 /vendor/bin/ese-ls-provision    u:object_r:esed_exec:s0
 /vendor/bin/hw/android\.hardware\.oemlock@1\.0-service               u:object_r:hal_oemlock_default_exec:s0
+/vendor/bin/oemlock_provision   u:object_r:hal_bootctl_default_exec:s0
+/vendor/bin/oemlock-bridge      u:object_r:hal_bootctl_default_exec:s0
 /vendor/bin/hw/android\.hardware\.usb@1\.1-service.wahoo             u:object_r:hal_usb_default_exec:s0
 /vendor/bin/chre                u:object_r:chre_exec:s0
 /vendor/bin/folio_daemon        u:object_r:folio_daemon_exec:s0
--- a/sepolicy/hal_bootctl.te
+++ b/sepolicy/hal_bootctl.te
@@ -11,6 +11,7 @@ allow hal_bootctl ab_block_device:blk_file getattr;
 allow hal_bootctl boot_block_device:blk_file rw_file_perms;
 allow hal_bootctl modem_block_device:blk_file getattr;
 allow hal_bootctl system_block_device:blk_file getattr;
+allow hal_bootctl misc_block_device:blk_file rw_file_perms;

 # Access /dev/sgN devices (generic SCSI) to write the
 # A/B slot selection for the XBL partition. Allow also to issue a
@@ -25,3 +26,6 @@ allow hal_bootctl sysfs:dir r_dir_perms;

 # Write to the XBL devices.
 allow hal_bootctl xbl_block_device:blk_file rw_file_perms;
+
+# Expose a socket for brokered boot message access for hal_oemlock.
+allow hal_bootctl hal_bootctl_socket:sock_file create_file_perms;
--- a/sepolicy/hal_oemlock_default.te
+++ b/sepolicy/hal_oemlock_default.te
@@ -1,9 +1,8 @@
 type hal_oemlock_default, domain;
 hal_server_domain(hal_oemlock_default, hal_oemlock)

-# TODO: work out new permissions
-#allow hal_oemlock_default misc_block_device:blk_file rw_file_perms;
-#allow hal_oemlock_default frp_block_device:blk_file rw_file_perms;
+allow hal_oemlock_default hal_bootctl_socket:sock_file write;
+allow hal_oemlock_default hal_bootctl:unix_stream_socket connectto;

 type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_oemlock_default)